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Preface 


This  document  is  one  of  a  series  of  publications  of  the  Software  Engineering  Institute  at 
Carnegie  Mellon  University  called  security  improvement  modules.  They  are  intended  to 
provide  practical  guidance  to  help  organizations  improve  the  security  of  their  networked 
computer  systems. 


Module  structure  Each  module  addresses  an  important  but  relatively  narrowly  defined  problem  in  network 

and  system  security.  The  first  section  of  the  module  describes  the  problem  and  outlines  a 
set  of  security  improvement  practices  to  help  solve  it.  Each  practice  is  a  recommended 
way  of  performing  common  tasks  related  to  the  secure  operation  of  networked  computer 
systems. 

The  remaining  sections  of  the  module  are  detailed  descriptions  of  the  practices.  Each 
includes  a  rationale  for  the  recommended  actions  and  a  description  of  how  to  perform 
them. 


Intended  audience  The  practices  are  primarily  written  for  system  and  network  administrators  whose  day-to- 

day  activities  include  installation,  configuration,  and  maintenance  of  the  computers  and 
networks.  Occasionally,  practices  are  written  to  assist  the  managers  responsible  for 
network  and  system  administration. 


Revised  versions  Network  and  system  technologies  continue  to  evolve  rapidly,  leading  to  new  security 

problems  and  solutions.  Modules  and  practices  need  to  be  revised  occasionally,  so  to 
permit  more  timely  publication  of  new  versions,  we  also  publish  them  on  the  World  Wide 
Web.  At  the  end  of  each  section  of  this  document  is  the  URL  of  its  Web  version. 


Implementation  details  How  an  organization  adopts  and  implements  the  practices  often  depends  on  the 

networking  and  computing  technologies  it  uses.  For  some  practices,  technology-specific 
implementation  details  are  published  on  the  World  Wide  Web.  The  Web  version  of  each 
practice  contains  links  to  the  implementation  details. 


iii 
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Securing  Desktop  Workstations 


Securing  desktop  workstations  should  be  a  significant  part  of  your  network  and 
information-security  strategy  because  of  the  sensitive  information  often  stored  on 
workstations  and  their  connection  to  the  rest  of  the  networked  world. 

Many  security  problems  can  be  avoided  if  the  workstations  and  network  are  appropriately 
configured.  Default  hardware  and  software  configurations,  however,  are  set  by  vendors 
who  tend  to  emphasize  features  and  functions  more  than  security.  Since  vendors  are  not 
aware  of  your  security  needs,  you  must  configure  new  workstations  to  reflect  your 
security  requirements  and  reconfigure  them  as  your  requirements  change. 

The  practices  recommended  here  are  designed  to  help  you  configure  and  deploy 
networked  workstations  that  satisfy  your  organization’s  security  requirements.  The 
practices  may  also  be  useful  in  examining  the  configuration  of  previously  deployed 
workstations. 


A  note  on  terminology  The  word  “workstation”  is  used  in  this  module  to  mean  the  combination  of  the  hardware, 

operating  system,  application  software,  and  network  connection.  When  it  is  necessary  to 
be  more  specific,  we  explicitly  mention  one  of  those  four  components. 

Although  this  module  focuses  on  securing  desktop  workstations,  many  of  the  practices  are 
also  applicable  to  securing  network  servers  or  other  computers  on  your  network.  To  make 
it  easier  to  include  those  practices  in  other  modules,  we  use  the  word  “computer”  broadly; 
it  can  mean  workstations,  servers,  or  other  computers. 


Who  should  read  these 
practices 


These  practices  are  applicable  to  your  organization  if 

•  you  operate  or  plan  to  operate  a  network  that  includes  desktop  workstations 

•  users  of  those  workstations  have  network  access  to  hosts  inside  your  organization  and 
to  hosts  outside  through  common  Internet  protocols 

We  assume  that  you  have  the  following  security  requirements  for  information  resources 
stored  on  or  accessed  by  users  or  processes  on  those  workstations: 

•  Some  or  all  of  the  information  is  sensitive  or  proprietary.  Access  must  be  limited  to 
authorized  and  properly  authenticated  users  (inside  or  outside  your  organization). 
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•  The  integrity  of  that  information  is  critical.  It  must  not  be  compromised;  that  is,  not 
modified  by  unauthorized  users  or  by  processes  operating  on  their  behalf. 

•  That  information  must  be  readily  accessible  by  authorized  users  whenever  they  need  it 
to  perform  their  work. 


What  these  practices  do  These  practices  address  security  issues  for  desktop  workstations  within  your  organization, 
and  do  not  cover  They  do  not  attempt  to  address  security  issues  for 

•  portable  workstations  and  laptop  computers 

•  workstations  at  geographically  remote  sites  that  may  connect  to  your  site  through  the 
Internet  or  public  telephone  networks 

•  desktop  machines  that  operate  as  network  servers 

Although  many  of  the  practices  described  here  are  applicable  to  these  types  of  computers, 
we  do  not  include  other  practices  that  are  unique  to  them. 

These  practices  are  limited  to  security  issues  related  to  configuring  the  workstation  itself 
We  recognize  that  security  of  the  workstation  also  depends  on  security  of  the  network  to 
which  it  is  connected,  and  we  plan  to  describe  network  security  practices  in  subsequent 
modules. 

The  focus  of  these  practices  is  to  help  you  establish  an  appropriate  configuration  for  a 
workstation  when  it  is  first  deployed.  They  do  not  cover  all  security  aspects  of  the  day-to- 
day  operations  of  a  workstation,  which  we  address  in  other  modules.  For  example, 
activities  related  to  detecting  signs  of  intrusion  on  a  desktop  workstation  are  covered  in 
the  modules  Preparing  to  Detect  Signs  of  Intrusion  [Kochmar  98]  and  Detecting  Signs  of 
Intrusion  [Firth  97a]. 

The  practices  do  not  include  the  initial  setup  of  the  workstation:  unpacking  it,  confirming 
the  hardware  configuration,  installing  the  default  operating  system,  and  making  the 
network  connection.  However,  some  of  the  practices  are  most  effective  if  performed 
during  the  process  of  installing  the  operating  system. 

Finally,  these  practices  do  not  address  physical  security  of  workstations  in  detail. 


Security  issues  There  are  three  main  security  issues  related  to  securing  a  workstation: 

1.  Confidentiality  -  Information  stored  on  the  workstation  may  be  disclosed 
inappropriately.  This  can  happen  when 

•  unauthorized  users  gain  access  to  the  workstation 

•  authorized  users  gain  access  to  information  that  they  are  not  supposed  to  see 

•  authorized  users  inappropriately  transmit  information  via  the  network 

2.  Integrity  -  The  integrity  of  information  stored  on  the  workstation  may  be  changed, 
either  accidentally  or  maliciously. 

3.  Availability  -  Authorized  users  may  be  unable  to  use  the  workstation,  the  network,  or 
the  information  and  services  stored  on  each  to  perform  their  jobs.  This  can  result  when 

•  the  information  has  been  damaged,  deleted,  or  otherwise  rendered  inaccessible 
(such  as  being  encrypted  or  having  its  access  privileges  changed) 
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Security  improvement 
approach 


Summary  of 
recommended  practices 


•  the  computational  resources  of  the  workstation  have  been  damaged  or  overloaded 
to  the  point  of  preventing  authorized  users’  work 

•  access  to  services  has  been  denied 


To  secure  a  desktop  workstation,  we  recommend  a  four-part  approach.  It  requires 

implementing  security  practices  in  the  following  areas: 

1.  planning  and  executing  the  deployment  of  workstations 

2.  configuring  workstations  to  prevent  security  incidents 

3.  maintaining  the  integrity  of  the  deployed  workstation 

4.  improving  user  awareness  of  security  issues 

The  practices  are  designed  to  improve  security  in  several  ways: 

•  They  promote  consistency.  When  the  configuration  and  deployment  of  workstations  is 
consistent,  it  is  easier  to  manage  security  and  to  predict  or  identify  use  outside  the 
norm, 

•  They  help  to  maximize  security  on  each  workstation.  This  provides  vital  protection  in 
case  of  failure  of  perimeter  defenses.  Host  security  is  also  a  first  line  of  defense  against 
internal  threats,  which  generally  have  a  higher  probability  of  occurrence  than  external 
threats  via  the  network. 

•  They  help  you  recognize  security  incidents  sooner,  help  prepare  you  to  recover  from 
security  breaches,,  and  prevent  similar  breaches  from  recurring.  As  a  result,  you  can  . 
reduce  damages  from  security  incidents. 


Ajea 

Recommended  Practice 

Planning 

deployment 

1 .  Develop  a  computer  deployment  plan  that  includes  security 
issues. 

Configuring 

workstations 

2.  Keep  operating  systems  and  applications  software  up  to  date. 

3.  Configure  computers  for  user  authentication. 

4.  Configure  computer  operating  systems  with  appropriate  object, 
device,  and  file  access  controls. 

5.  Identify  and  enable  system  and  network  logging  mechanisms. 

6.  Configure  computers  for  file  backups. 

7.  Protect  computers  from  viruses  and  similar  programmed 
threats. 

8.  Configure  computers  for  secure  remote  administration. 

9.  Configure  computers  to  provide  only  selected  network 
services. 

10.  Configure  network  service  clients  to  enhance  security. 

11.  Configure  multiple  computers  using  a  tested  model 
configuration  and  a  secure  replication  procedure. 

Maintaining 

workstation 

integrity 

12.  Allow  only  appropriate  physical  access  to  computers. 

Improving  user 
awareness 

13.  Develop  and  promulgate  an  acceptable  use  policy  for 
workstations. 
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Abbreviations  used  in 
these  practices 


References 


Where  to  find  updates 


DNS 

Domain  Name  Service 

ftp 

file  transfer  protocol 

http 

hypertext  transfer  protocol 

IP 

Internet  Protocol 

LAN 

local  area  network 

NFS 

Network  File  System 

NIS 

Network  Information  System 

NTP 

Network  Time  Protocol 

smtp 

simple  mail  transfer  protocol 

TCP 

transmission  control  protocol 

WORM 

Write  Once,  Read  Many 

WWW 

World  Wide  Web 
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Develop  a  computer  deployment  plan  that  includes 
security  issues. 


Most  deployment  plans  address  the  cost  of  the  computers,  schedules  to  minimize  work 
disruption,  installation  of  applications  software,  and  user  training.  In  addition,  you  need  to 
include  a  discussion  of  security  issues. 


Why  this  is  important  You  can  eliminate  many  networked  systems  vulnerabilities  and  prevent  many  security 

problems  if  you  securely  configure  computers  and  networks  before  you  deploy  them. 
Vendors  typically  set  computer  defaults  to  maximize  available  functions  so  you  usually 
need  to  change  defaults  to  meet  your  organization’s  security  requirements. 

You  are  more  likely  to  make  decisions  about  configuring  computers  appropriately  and 
consistently  when  you  use  a  detailed,  well-designed  deployment  plan.  Developing  such  a 
plan  will  support  you  in  making  some  of  the  hard  trade-off  decisions  between  usability 
and  security. 

Consistency  is  a  key  factor  in  security  as  it  fosters  predictable  behavior.  This  will  make  it 
easier  for  you  to  maintain  secure  configurations  and  help  you  to  identify  security  problems 
(which  often  manifest  themselves  as  deviations  from  predictable,  expected  behavior). 
Refer  to  the  practice,  “Keep  operating  systems  and  applications  software  up  to  date.” 


How  to  do  it  Make  the  decisions  described  below  and  then  record  them. 

Note:  We  assume  that  you  are  deploying  workstations  and  servers  in  an  existing 
infrastructure,  which  includes  an  existing  network.  The  security  issues  related  to  the 
network  architecture,  including  where  you  place  servers  and  workstations  on  the  network, 
are  outside  the  scope  of  this  practice. 

Identify  the  purpose  of  each  computer. 

Document  how  the  computer  will  be  used.  Consider  the  following: 

•  What  categories  of  information  will  be  stored  on  the  computer? 

•  What  categories  of  information  will  be  processed  on  the  computer  (but  retrieved  from 
and  stored  on  another  computer)? 

•  What  are  the  security  requirements  for  that  information? 

•  What  network  service(s)  will  be  provided  by  the  computer? 

•  What  are  the  security  requirements  for  those  services? 
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>  Identify  the  computer  hardware  and  operating  system  requirements. 

Document  the  needed  hardware,  including  the  processor  architecture,  memory 
requirements,  secondary  storage  requirements  (such  as  hard  disk  drives  and 
removable-medium  drives),  networking  requirements  (such  as  modems  or  Ethernet  cards), 
display  monitor,  and  other  audiovisual  requirements  (such  as  video  cameras  or 
microphones). 

Document  the  hardware  configuration.  This  will  help  you  select  and  securely  configure 
the  software. 

Document  the  operating  system  features  needed,  even  if  you  are  confined  to  using  one 
vendor’s  operating  system.  Include  the  requirements  for  both  general  security  features 
(such  as  capabilities  for  user  authentication  and  file  access  controls)  and  for  special 
security  features  (such  as  an  encrypting  file  system,  or  a  built-in  feature  to  erase  memory 
and  disk  blocks  before  reallocating  them). 

Do  not  purchase  or  deploy  systems  that  fail  to  meet  your  security  requirements. 

>  Identify  the  network  services  that  will  be  provided  on  the  computer 

The  network  services  you  list  in  your  deployment  plan  may  include  electronic  mail,  access 
to  corporate  databases,  and  access  to  the  World  Wide  Web.  For  each  service,  document 
whether  the  computer  will  be  configured  as  a  client,  a  server,  or  both.  Include  also 
peer-to-peer  network  services,  such  as  file  sharing. 

Clients:  Workstations  are  normally  configured  as  clients  for  several  network  services.  You 
should  document  the  planned  behavior  of  those  clients:  the  levels  of  access  required,  the 
type  of  access  (read,  write,  etc.),  and  other  aspects  of  the  configurations  required  for  client 
software. 

Servers:  As  a  general  rule,  a  network  server  should  be  dedicated  to  a  single  service.  This 
usually  simplifies  configuration,  which  reduces  the  likelihood  of  configuration  errors.  It 
also  can  eliminate  unexpected  and  unsafe  interactions  among  the  services  that  present 
opportunities  for  intruders. 

In  some  cases,  it  may  be  appropriate  to  offer  more  than  one  service  on  a  single  host 
computer.  For  example,  the  server  software  from  many  vendors  combines  the  file  transfer 
protocol  (FTP)  and  the  hypertext  transfer  protocol  (HTTP)  services  in  a  single  package. 
For  some  organizations,  it  is  appropriate  to  provide  access  to  public  information  via  both 
protocols  from  the  same  server  host. 

>  Identify  the  network  service  software,  both  client  and  server,  to  be  installed  on  the 
computer 

Many  operating  systems  include  network  service  software  for  both  clients  and  servers. 
You  may  simply  choose  to  use  those  packages.  For  major  services,  however,  there  are 
several  choices  that  vendors  may  provide.  When  making  your  choice,  pay  special 
attention  to  the  ability  of  candidate  packages  to  meet  your  security  requirements,  and 
document  your  selection. 

Identify  other  application  or  utility  software  that  will  be  installed  on  the  computer 

List  in  your  deployment  plan  not  only  user-oriented  application  software,  but  also 
system-related  software  and  security-related  software.  The  module  Preparing  to  Detect 
Signs  of  Intrusion  [Kochmar  98]  provides  details  on  selecting  some  kinds  of 
security-related  software. 
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>  Identify  the  users  or  categories  of  users  of  the  computer. 

For  workstations,  you  will  sometimes  be  able  to  identify  an  individual  who  will  be  the 
primary  user;  but  more  often,  you  will  have  to  define  categories  of  users.  The  categories 
are  based  on  user  roles  that  reflect  their  authorized  activity.  The  roles  are  often  based  on 
similar  work  assignments  and  similar  needs  for  access  to  particular  information 
resources — system  administrators,  software  developers,  data  entry  personnel,  etc.  If 
appropriate,  include  categories  of  remote  users  and  temporary  or  guest  users. 

For  network  servers,  document  the  categories  of  users  that  will  be  allowed  access  to  the 
provided  services.  For  public  servers  connected  to  the  Internet,  the  category  of  users  is 
probably  everyone.  For  internal  servers,  you  may  need  to  categorize  users  by  their 
organizational  department,  physical  location,  or  job  responsibilities.  You  also  need  a 
category  of  administrative  users  who  will  need  access  to  administer  the  network  server 
and  possibly  one  for  backup  operators. 

In  general,  you  should  prevent  the  use  of  a  network  server  as  a  workstation.  This  will 
ensure  that  its  users  are  only  those  who  are  accessing  the  provided  service  (almost  always 
from  another  computer  on  the  network)  and  those  responsible  for  server  administration. 

>"  Determine  the  privileges  that  each  category  of  user  will  have  on  the  computer. 

Documenting  privileges  typically  requires  creating  a  matrix  of  users  (defined  in  the 
previous  step)  and  privileges.  The  privileges  are  customarily  in  groups  that  define  what 
system  resources  or  services  a  user  can  read,  write,  change,  execute,  create,  delete,  install, 
remove,  turn  on,  or  turn  off. 

>“  Decide  how  users  will  be  authenticated  and  how  authentication  data  will  be  protected. 

For  workstations,  it  is  common  to  authenticate  users  via  the  authentication  capability 
provided  with  the  operating  system. 

For  network  servers,  there  are  usually  two  kinds  of  authentication:  (1)  that  provided  with 
the  operating  system,  commonly  used  for  authenticating  administrative  users  and  (2) 
authentication  provided  by  the  network  service  software,  commonly  used  for 
authenticating  users  of  the  service.  A  particular  software  implementation  of  a  network 
service  may  use  the  provided  authentication  capability,  and  thus  it  may  be  necessary  for 
users  of  that  service  to  have  a  local  identity  (usually  a  local  account)  on  the  server. 

Authentication  mechanisms  can  be  both  procedural  and  technological.  The  most  common 
approach  is  the  use  of  passwords;  but  other  mechanisms  can  be  used,  such  as  keys,  tokens, 
and  biometric  devices  (devices  that  recognize  a  person  based  on  biological  characteristics 
such  as  fingerprints  or  patterns  of  the  retinal  blood  vessels). 

Because  authentication  mechanisms  like  passwords  require  information  to  be  accessible  to 
the  authentication  software,  carefully  document  how  that  information  will  be  protected. 
Authentication  data  is  critical  security  information  that  requires  a  high  level  of  protection. 

>  Determine  how  appropriate  access  to  information  resources  will  be  enforced. 

For  many  resources,  such  as  program  and  data  files,  the  access  controls  provided  by  the 
operating  system  are  the  most  obvious  means  to  enforce  access  privileges.  Also,  consider 
using  encryption  technologies  to  protect  the  confidentiality  of  information.  In  some  cases, 
protection  mechanisms  will  need  to  be  augmented  by  policies  that  guide  user’s  behavior 
related  to  their  workstations. 
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>  Develop  intrusion  detection  strategies  for  the  computer. 

Many  of  the  common  intrusion  detection  methods  depend  on  the  existence  of  various  logs 
that  your  systems  produce  and  on  the  availability  of  auditing  tools  that  analyze  those  logs. 
In  your  deployment  plan,  describe  the  kinds  of  information  that  will  be  collected  on  each 
computer  in  support  of  security.  This  will  help  you  install  the  appropriate  software  tools 
and  configure  these  tools  and  the  operating  system  to  collect  the  necessary  information. 

This  topic  is  elaborated  in  the  security  improvement  module  Preparing  to  Detect  Signs  of 
Intrusion  [Kochmar  98]. 

V  Write  a  plan  for  backup  and  recovery  of  information  resources  stored  on  the  computer. 

Possessing  recent,  secure  backup  copies  of  information  resources  makes  it  possible  for 
you  to  quickly  restore  the  integrity  and  availability  of  information  resources.  Successful 
restoration  depends  on  configuring  the  operating  system,  installing  appropriate  tools,  and 
following  defined  operating  procedures.  You  need  to  document  backup  processes;  roles, 
responsibilities,  and  how  the  physical  media  that  store  the  backup  data  are  handled,  stored, 
and  managed.  Consider  using  encryption  technologies  to  protect  the  backups. 

For  some  network  servers,  such  as  those  providing  public  services  like  the  World  Wide 
Web,  it  is  common  to  develop  the  information  content  of  those  services  on  a  different  host 
machine.  The  authoritative  version  of  this  content  is  maintained  (and  backed  up)  on  this 
second  computer,  and  then  transferred  to  the  public  server.  This  method  makes  it 
unnecessary  to  perform  file  backups  of  the  server  itself.  If  the  information  is  ever 
compromised,  you  can  restore  it  by  transferring  a  copy  from  the  authoritative  version.  For 
more  information,  refer  to  the  practice  “Configure  computers  for  file  backups.” 

>  Determine  how  network  services  will  be  maintained  or  restored  after  various  kinds  of 
faults. 

To  maintain  the  availability  of  services  essential  to  your  business,  you  generally  need 
some  level  of  redundancy.  For  example,  you  may  want  to  specify  when  to  use  hot,  warm, 
and  cold  backups.  Hot  backups  provide  the  capability  to  immediately  switch 
configurations  because  the  backup  system  is  run  in  parallel  with  the  primary  system. 
Warm  backups  require  some  degree  of  reconfiguration  before  you  use  them  since  they  are 
not  run  in  full  parallel  with  operational  systems.  You  must  start  cold  backups  from  a 
shutdown  state  and  bring  them  up  to  date  before  using  them. 

Write  a  plan  to  ensure  that  no  single  failure  (power  supply,  hardware,  software,  etc.)  will 
make  an  essential  service  unavailable  for  a  period  of  time  you  consider  unacceptable. 

>  Develop  and  follow  a  documented  procedure  for  installing  an  operating  system. 

In  your  procedure,  include  steps  to  implement  all  the  decisions  you  made  in  the  steps 
above  and  describe  all  the  parameters  that  are  set  during  installation. 

In  many  cases,  the  parameters  are  recorded  in  scripts  or  configuration  files  that  are 
executed  or  read  during  various  phases  of  the  installation.  Make  all  your  parameter 
choices  explicit,  even  if  they  match  the  vendor’s  current  default  settings.  (This  may  seem 
to  be  unnecessary,  but  it  can  prevent  security  problems  if  you  subsequently  reuse  your 
scripts  or  configuration  files  to  configure  future  workstations  and  servers.)  Your  explicit 
choices  will  still  be  used  even  if  the  vendor’s  defaults  have  changed  with  new  releases. 
Your  installation  procedure  should  also  specify  the  vendor’s  security-related  updates  or 
patches  that  are  to  be  applied  to  the  operating  system. 
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>  Determine  how  the  computer  will  be  connected  to  your  network. 

There  are  concerns  relating  to  network  connections  that  can  affect  the  configuration  and 
use  of  any  one  computer. 

LANs:  Many  organizations  use  a  fast  networking  technology  such  as  Ethernet  for  their 
local  area  networks.  In  these  cases,  information  traversing  a  network  segment  can  be  seen 
by  any  computer  on  that  segment.  This  suggests  that  you  should  only  place  “trusted” 
computers  on  the  same  network  segment,  or  else  encrypt  information  before  transmitting 
it.’ 

Modems:  Modems  permit  direct  connectivity  between  one  of  your  computers  (and  thus, 
potentially,  your  internal  network)  and  the  external  networks  reachable  by  the  public 
telephone  network.  Many  organizations  forbid  users  to  attach  a  modem  to  a  workstation. 

It  is  also  important  to  document  the  use  of  modems  on  a  network  server.  As  a  general  rule, 
do  not  attach  modems  to  any  servers  other  than  those  whose  purpose  is  to  provide  dial-in 
access. 

Identify  the  security’  concerns  related  to  day-to-day  administration  of  the  computer. 

If  your  organization  is  small,  it  may  be  feasible  to  administer  both  workstations  and 
network  servers  individually  from  their  consoles.  We  recommend  this  method  because  it  is 
the  most  secure. 

In  most  cases,  however,  workstations  and  servers  are  some  distance  from  the  offices  of  the 
system  administrators.  As  a  result,  a  significant  amount  of  day-to-day  administration  is 
done  from  the  administrator’s  workstation  via  the  network.  Permitting  remote 
administration  in  a  secure  manner  typically  requires  configuring  the  operating  system  and 
installing  various  administration  software  tools,  possibly  including  tools  to  encrypt 
administration  commands  and  data  between  the  target  computer  and  the  administrator’s 
workstation.  Thus,  you  need  to  document  your  administration  processes  to  configure  the 
computer  appropriately. 

Note  that  a  detailed  administration  plan  is  not  required  here.  Such  a  plan  is  necessary  for  a 
well-run  organization,  but  it  addresses  a  broader  range  of  issues  than  just  security  and  is 
therefore  outside  the  scope  of  this  practice. 

Identify  actions  to  protect  information  contained  on  hardware  that  is  no  longer  in  use. 

Determine  what  steps  you  need  to  take  to  ensure  that  the  information  contained  on 
hardware  being  updated,  replaced,  removed  from  service,  or  disposed  of  is  eliminated  to 
the  extent  possible.  For  example,  erase  and  reformat  disks,  rewrite  tapes,  and  clear 
firmware  passwords.  The  extent  of  your  actions  is  dependent  upon  the  sensitivity  of  the 
information.  You  may  need  to  physically  destroy  hardware  containing  highly  sensitive 
information  to  ensure  that  the  hardware  cannot  be  used  and  that  the  information  cannot  be 
accessed. 


1.  However,  note  that  network  protocols  based  on  TCP/IP  require  at  least  part  of  the  information  in 
a  packet  (source,  destination,  port)  to  be  unencrypted,  which  exposes  the  network  to  traffic 
analysis. 
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Policy  considerations 


Where  to  find  updates 


Your  organization’s  security  policy  for  networked  systems  should 

•  require  that  a  detailed  computer  deployment  plan  be  developed  and  followed  whenever 
computers  are  being  deployed  (or  redeployed) 

•  require  that  access  to  your  deployment  plan  be  permitted  to  only  those  who  require  the 
information  to  perform  their  jobs 


The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-inriprovement/practices/p025.html 
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Keep  operating  systems  and  applications  software  up 
to  date. 


Why  this  is  important 


How  to  do  it 


You  need  to  stay  informed  of  vendors’  security-related  updates  to  their  products,  which 
may  be  called  updates,  upgrades,  patches,  service  packs,  or  hot  fixes.  Whenever  an  update 
is  released,  you  need  to  evaluate  it,  determine  if  it  is  applicable  to  your  organization’s 
computers,  and,  if  so,  install  it. 


Because  software  systems  are  so  complex,  it  is  common  for  security-related  problems  to 
be  discovered  only  after  the  software  has  been  in  widespread  use.  Although  most  vendors 
try  to  address  known  security  flaws  in  a  timely  manner,  there  is  normally  a  gap  from  the 
time  the  problem  is  publicly  known,  the  time  the  vendor  requires  to  prepare  the  correction, 
and  the  time  you  install  the  update.  This  gap  gives  potential  intruders  an  opportunity  to 
take  advantage  of  this  flaw  and  mount  an  attack  on  your  computers  and  networks.  To  keep 
this  time  interval  as  short  as  possible,  you  need  to  stay  aware  of 

•  announcements  of  security-related  problems  that  may  apply  to  your  systems 

•  immediate  steps  you  can  take  to  reduce  your  exposure  to  the  vulnerability,  such  as 
disabling  the  affected  software 

•  permanent  fixes  from  vendors 

Installing  applicable  vendors’  updates  as  soon  as  they  are  available  can  reduce  your 
vulnerability  to  attack. 


V  Develop  a  list  of  sources  of  information  about  security  problems  and  software  updates  for 
your  system  and  application  software. 

The  most  common  sources  of  current  information  include  Web  sites  of  vendors  and 
computer-  and  network-security  organizations^  There  are  also  mailing  lists,  some  of 
which  are  sponsored  by  vendors,  and  USENET  news  groups. 

See  Preparing  to  Detect  Signs  of  Intrusion  [Kochmar  98],  specifically  the  implementation 
“Maintaining  currency  by  periodically  reviewing  public  and  vendor  information  sources”. 
This  implementation  is  available  at  http://www.cert.org/security-improvement 
/implementations/i040.01  .html. 

>  Establish  a  procedure  for  monitoring  those  information  sources. 

In  the  case  of  mailing  lists,  you  usually  receive  announcements  about  security  problems 
and  software  updates  soon  after  they  are  available.  Web  sites  vary  considerably  in  the 


1.  For  example,  the  CERT/CC  site  at  URL  http://www.cert.org. 
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timeliness  of  their  announcements,  so  you  need  to  decide  how  often  to  look  for 
information  there.  Some  of  the  news-oriented  Web  sites  are  updated  one  or  more  times  a 
day,  so  daily  monitoring  is  a  good  idea. 

>  Evaluate  updates  for  appUcabilit}'  to  your  systems. 

Not  all  updates  are  applicable  to  the  configuration  of  the  computers  and  networks  in  your 
organization  and  to  your  organization's  security  requirements. 

Evaluate  all  the  updates  to  determine  their  applicability,  and  weigh  the  cost  of  deploying 
an  update  against  the  benefits. 

>  Plan  the  installation  of  applicable  updates. 

The  installation  of  an  update  can  itself  cause  security  problems: 

•  During  the  update  process,  the  computer  may  temporarily  be  placed  in  a  more 
vulnerable  state. 

•  If  the  update  is  scheduled  inappropriately,  it  might  make  a  computer  or  information 
resources  unavailable  when  needed. 

•  If  an  update  must  be  performed  on  a  large  number  of  computers,  there  can  be  a  period 
of  time  when  some  computers  on  the  network  are  using  different  and  potentially 
incompatible  versions  of  software,  which  might  cause  information  loss  or  corruption. 

•  The  update  may  introduce  new  vulnerabilities. 

Updates  can  also  cause  a  number  of  problems  in  other  installed  software.  You  may  want  to 
consider  running  a  previously  developed  regression  test  suite  to  compare  current 
performance  with  past  performance.  Another  approach  is  to  install  the  update  in  an 
isolated  test  environment  and  run  a  series  of  user  trials  before  releasing  the  update  on  your 
operational  systems. 

A  number  of  software  packages  exist  that  will  tell  you  the  differences  to  the  system  just 
prior  to  and  after  installing  the  update.  We  recommend  that  you  use  one  of  these  to  fully 
understand  and  analyze  the  effects  of  the  update  on  your  systems. 

In  addition,  you  should  always  backup  your  system  prior  to  applying  any  updates. 

Update  approaches  that  depend  on  an  administrator  physically  visiting  each  computer  are 
labor  intensive  but  will  work  for  networks  with  a  small  number  of  computers.  You  will 
need  to  employ  automated  tools  to  roll-out  updates  to  a  large  number  of  computers.  Some 
of  these  tools  are  provided  by  vendors  for  their  specific  products.  You  may  need  to 
develop  tools  that  are  tailored  to  your  environment  if  vendor  tools  are  insufficient.  When 
using  automated  tools  to  roll-out  updates,  the  affected  computers  and  the  network  are 
likely  to  be  vulnerable  to  attack  during  the  update  process.  To  lessen  this  vulnerability,  you 
should  use  only  an  isolated  network  segment  when  propagating  the  updates. 

>*  Install  the  updates  using  a  documented  plan. 

Follow  the  plan  developed  in  the  previous  step.  This  helps  ensure  that  you  deploy 
computers  consistently  throughout  your  organization. 

>  Deploy  new  computers  with  up^to-date  software. 

When  new  workstations  and  network  servers  are  being  deployed,  it  is  common  to  install 
the  operating  system  and  other  software  from  the  original  distribution  media  supplied  by 
vendors.  However,  those  software  versions  may  not  include  recent  security-related 
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updates.  Maintain  an  archive  of  updates  that  you  have  evaluated  and  chosen  to  install  on 
existing  computers,  so  that  you  can  install  them  on  new  computers  before  deployment. 

Also  acquire  and  install  the  most  up-to-date  driver  software  (often  available  from  vendors’ 
Web  sites)  for  all  components  and  peripheral  devices.  Those  drivers  typically  address 
performance  and  security  issues  that  have  been  discovered  since  the  components  were 
packaged  and  shipped  from  the  factory.  Be  sure  to  read  all  the  release  documentation 
associated  with  the  updated  drivers  before  using  them.  Also,  whenever  possible,  verify  the 
integrity  and  authenticity  of  the  new  driver  software,  using  methods  such  as  cryptographic 
checksums  supplied  by  the  vendor. 

>  After  making  any  changes  in  a  computer's  configuration  or  its  information  content,  create 
new  cryptographic  checksums  or  other  integrity-checking  baseline  information  for  that 
computer. 

Refer  to  the  modules  Detecting  Signs  of  Intrusion  [Firth  97  a]  and  Preparing  to  Detect 
Signs  of  Intrusion  [Kochmar  98]  for  additional  information  on  the  role  of  checking  the 
integrity  of  baseline  information  to  support  intrusion  detection. 


Policy  considerations 

Your  organization’s  security  policy  for  networked  systems  should  require  that  systems 
administrators  install  necessary  security-related  software  updates  in  a  timely  manner. 

Other  information 

We  understand  that  you  may  not  have  sufficient  information  to  decide  whether  or  not  to 
apply  an  update  and  that  you  may  not  have  a  comprehensive  test  environment  within 
which  to  evaluate  the  effects  of  an  update.  We  recommend  that  you  implement  the  steps  in 
this  practice  to  the  extent  possible  and  practical. 

Where  to  find  updates 

The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/securi  ty-improvement/practices/p027,html 
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Configure  computers  for  user  authentication. 


An  organization’s  security  policy  for  networked  systems  should  specify  that  only 
authorized  users  may  access  the  computers.  To  enforce  this,  you  need  to  configure  the 
computer  to  authenticate  a  prospective  user,  who  must  prove  that  they  are  authorized  for 
such  access. 

Configuring  the  computer  for  authentication  usually  involves  configuring  parts  of  the 
operating  system,  firmware,  and  applications  such  as  the  software  that  implements  a 
network  service.  If  your  organization  has  authentication  servers,  configuring  a  new 
workstation  or  network  server  for  user  authentication  may  require  you  to  make 
configuration  changes  on  another  computer.  In  special  cases,  you  may  also  use 
authentication  hardware  such  as  tokens,  one-time  password  devices,  or  biometric  devices 
(devices  that  can  recognize  a  person  based  on  biological  characteristics,  such  as 
fingerprints  or  patterns  in  retinal  blood  vessels). 


Why  this  is  important  Unauthorized  users  can  jeopardize  the  security  of  information  stored  on  or  accessible  from 

a  computer.  To  prevent  this,  you  must  configure  the  computer  to  authenticate  all  users  who 
attempt  access. 


How  to  do  it  This  practice  is  most  effective  if  you  include  it  as  part  of  the  initial  installation  and 

configuration  of  the  operating  system. 

Your  deployment  plan  documents  the  users  or  user  categories  and  the  approach  to 
authenticating  those  users.  The  following  steps  describe  how  to  implement  that  part  of  the 
plan. 

>  Configure  the  system  to  use  available  authentication  capabilities. 

If  the  computer’s  firmware  offers  the  feature  of  requiring  a  password  when  the  system  is 
turned  on,  enable  that  feature  and  set  the  password.  This  feature  is  sometimes  known  as  a 
BIOS  or  EEPROM  password. 

Enabling  this  feature  will  require  your  intervention  if  the  system  crashes  because  you  can’t 
configure  the  computer  to  restart  automatically.  This  is  usually  acceptable  for 
workstations  because  if  the  user  is  not  present,  it  is  not  necessary  to  restart  the  computer 
immediately.  However,  enabling  this  feature  can  present  problems  for  network  servers, 
which  normally  operate  24  hours  a  day.  When  the  system  crashes,  an  administrator  may 
not  be  available  to  restart  the  system. 
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>  Remove  unneeded  default  accounts  and  groups. 

The  default  configuration  of  the  operating  system  often  includes  guest  accounts, 
administrator  accounts,  and  accounts  associated  with  local  and  network  services.  The 
names  and  passwords  for  those  accounts  are  well  known.  Remove  or  disable  unnecessary 
accounts  to  eliminate  their  use  by  intruders. 

Change  default  passwords. 

For  default  accounts  that  you  want  to  keep  on  the  system,  change  the  passwords  to  make  it 
harder  for  intruders  to  compromise  the  accounts.  Also  disable  passwords  for  accounts  that 
need  to  exist  but  do  not  require  an  interactive  login. 

>  Create  the  user  groups  for  the  particular  computer. 

Assign  users  to  the  appropriate  groups.  Then  assign  rights  to  the  groups,  as  documented  in 
your  deployment  plan.  This  approach  is  preferable  to  assigning  rights  to  individual  users. 

>  Create  the  user  accounts  for  the  particular  computer. 

Your  deployment  plan  identifies  who  will  be  authorized  to  use  each  computer  and  its 
services.  Create  only  the  necessary  accounts.  Check  your  password  policy,  and  set  account 
passwords  appropriately. 

A  password  policy  should  address 

•  length:  a  minimum  length  for  passwords.  It  is  common  to  specify  a  minimum  length  of 
eight  characters. 

•  complexity:  the  mix  of  characters  required.  It  is  common  to  require  passwords  to 
contain  both  uppercase  and  lowercase  letters  and  at  least  one  nonalphabetic  character. 

•  aging:  how  long  a  password  may  remain  unchanged.  It  is  common  to  require  users  to 
change  their  passwords  at  least  once  a  month.  The  policy  should  permit  users  to  do  so 
only  through  approved  authentication  mechanisms. 

•  reuse:  whether  a  password  may  be  reused.  Some  users  try  to  defeat  a  password  aging 
requirement  by  changing  the  password  to  one  they  have  used  before. 

•  authority:  who  is  allowed  to  change  passwords 

Finally,  if  you  have  retained  any  of  the  default  administrator  accounts,  consider  changing 
their  names. 

Ensure  users  follow  your  password  policy. 

Document  your  password  policy,  communicate  it  to  users,  and  train  them  to  always  follow 
the  policy. 

Configure  the  password-setting  software  to  reject  passwords  that  don’t  conform  to  your 
policy,  if  the  operating  system  provides  this  feature. 

>  Configure  computers  to  require  reauthentication  after  idle  periods. 

This  step  is  most  useful  for  workstations,  but  consider  it  for  network  servers  as  well, 
especially  if  the  server  will  be  administered  from  the  console. 

Most  operating  systems  include  software  to  display  a  changing  image  (screensaver)  on  a 
monitor  or  software  to  power  down  monitors  and  disks  (energy  saver)  after  a  short  period 
of  inactivity. 
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Policy  considerations 


This  inactivity  may  indicate  that  the  workstation  is  unattended  though  a  user  is  still  logged 
in.  Requiring  reauthentication  when  the  user  returns  prevents  an  unauthorized  person  from 
using  an  active  session  while  the  authorized  user  is  away. 

If  possible,  configure  the  operating  system  to  terminate  a  session  (log  out)  after  a  specified 
idle  period  (typically  15  minutes).  Alternatively,  install  a  third-party  “locking  screen 
saver”  to  do  the  same  thing. 

Consider  requiring  users  to  shut  down  or  lock  workstations  when  they  leave  the  machine 
unattended.  This  prevents  a  period  of  vulnerability  between  the  time  the  user  leaves  and 
the  time  the  locking  screensaver  is  activated. 

>*  Configure  computers  to  deny  login  after  a  small  number  of  failed  attempts. 

It  is  relatively  easy  for  an  unauthorized  user  to  gain  access  to  a  computer  by  using 
automated  software  tools  that  attempt  all  passwords.  If  your  operating  system  provides  the 
capability,  configure  it  to  deny  login  after  three  failed  attempts.  Typically,  the  account  is 
“locked  out”  for  a  period  of  time  (such  as  30  minutes)  or  until  a  user  with  appropriate 
authority  reactivates  it. 

This  is  another  situation  that  requires  you  to  make  a  decision  that  balances  security  and 
convenience.  Implementing  this  recommendation  can  help  prevent  some  kinds  of  attacks, 
but  it  can  also  allow  a  malicious  intruder  to  make  failed  login  attempts  to  eliminate  user 
access  -  a  denial  of  service  condition.  You  may  not  consider  this  configuration  acceptable 
for  network  servers  because  it  makes  the  server  unavailable  to  the  authorized  user  whose 
account  was  compromised. 

In  some  cases,  you  need  to  distinguish  between  failed  login  attempts  at  the  console  and 
those  coming  in  through  the  network.  Failed  network  login  attempts  should  not  prevent  an 
authorized  user  or  administrator  from  logging  in  at  the  console. 

Note  that  all  failed  login  attempts  should  be  logged.  (Refer  to  the  security  improvement 
modules  Detecting  Signs  of  Intrusion  [Firth  97  a]  and  Preparing  to  Detect  Signs  of 
Intrusion  [Kochmar  98].) 

>  Install  and  configure  other  authentication  mechanisms  as  required  by  your  organization  *s 
security  plan  and  policies. 

Consider  using  other  authentication  mechanisms  such  as  tokens,  one-time  password 
systems,  and  biometric  hardware  and  software.  They  can  be  expensive,  but  they  may  be 
justified  in  some  circumstances, 

>  For  network  servers,  configure  the  authentication  capability  of  the  network  service 
software,  if  any. 

The  authentication  capabilities  of  network  service  software  packages  vary,  and  we  plan  to 
address  them  in  detail  in  future  modules  on  specific  network  services.  However,  note  that 
some  packages  provide  their  own  mechanisms  for  authenticating  users,  while  others 
depend  on  the  underlying  operating  system.  Be  sure  that  both  are  configured 
appropriately. 


Your  organization’s  policy  for  networked  systems  should 

•  describe  under  what  conditions  an  account  is  created  and  deleted.  This  should  include 
what  account  actions  are  taken  (disabled,  deleted,  transferred)  and  how  files  are 
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Where  to  find  updates 


handled  when  an  employee,  contractor,  or  vendor  who  has  an  account  on  your  systems 
no  longer  works  for  your  organization. 

•  require  appropriate  authentication  of  all  users  on  all  computers  that  can  access 
information  resources;  this  includes  authenticating  users  of  network  services  hosted  by 
your  servers 

•  include  an  appropriate  password  policy 

•  prohibit  users  from  recording  and  storing  passwords  in  places  that  could  be  discovered 
by  intruders 

Your  organization’s  acceptable  use  policy  for  workstations  should  require  that  users  shut 
down  or  lock  their  unattended  workstations. 

When  writing  a  password  policy,  remember  that  requiring  users  to  have  complex 
passwords  may  have  the  undesired  result  of  the  user’s  writing  the  passwords  on  paper  that 
they  keep  near  the  computer  (often  stuck  to  the  machine)  or  with  personal  papers  (in  a 
wallet,  purse,  or  briefcase).  If  that  paper  is  observed,  lost,  or  stolen,  it  creates  a  potential 
vulnerability. 

If  a  password  policy  is  especially  difficult  to  follow,  it  creates  in  users  a  desire  to  find 
ways  around  it.  This  attitude  can  negatively  influence  users’  compliance  with  other 
aspects  of  security  policies. 


The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-improveinent/practices/p028.html 
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Configure  computer  operating  systems  with 
appropriate  object,  device,  and  fiie  access  controls. 


Many  operating  systems  provide  the  capability  to  specify  access  privileges  individually 
for  files,  devices,  and  other  data  or  code  objects.  We  recommend  that  you  configure  the 
settings  on  files  and  other  objects  to  take  advantage  of  this  capability  and  protect 
information  stored  on  the  computer. 


Why  this  is  important  By  carefully  setting  access  controls,  you  can  reduce  both  intentional  and  unintentional 

security  breaches.  For  example,  denying  read  access  helps  to  protect  confidentiality  of 
information,  and  denying  unnecessary  write  access  can  help  maintain  the  integrity  of 
information.  Limiting  the  execution  privilege  of  most  system-related  tools  to  authorized 
system  administrators  can  prevent  most  users  from  making  configuration  changes  that 
could  reduce  security.  It  also  can  restrict  the  ability  of  intruders  to  use  those  tools  to  attack 
the  system  or  other  systems  on  the  network. 


How  to  do  it  Note  that  access  controls  should  be  implemented  during  initial  installation  and 

configuration  of  the  operating  system  and  carefully  maintained  thereafter. 

Identify  the  protection  needed  for  files,  devices,  and  objects  on  the  computer. 

One  method  that  you  can  use  to  identify  needed  protection  is  to  construct  a  matrix  with 
categories  of  files  and  objects  on  one  axis  and  groups  of  users  (defined  by  roles  and  access 
authority)  on  the  other.  Then  record  in  the  matrix  the  kinds  of  access  privileges  allowed 
for  that  class  of  objects  and  that  class  of  users.  The  privileges  are  based  on  the  security 
requirements  (such  as  confidentiality,  integrity,  and  availability)  of  the  various  classes  of 
resources. 

For  example,  you  may  have  file  categories  that  include  administrative  information  (user 
names,  passwords,  privileges,  etc.),  applications,  development  tools,  operating  system 
files,  and  user  data  files.  The  latter  may  be  further  subdivided  into  categories  such  as 
customer  accounts,  inventory  records,  research  data,  and  management  reports.  You  may 
have  user  groups  that  include  system  administrators,  network  service  daemons,  and  users 
from  various  departments. 

As  you  begin  to  identify  privileges,  you  may  need  to  split  some  rows  and  columns.  This 
happens,  for  example,  when  you  discover  that  a  single  group  of  users  is  really  two  groups 
because  their  need  to  access  a  particular  resource  is  not  uniform. 

You  may  also  want  to  distinguish  local  access  privileges  from  network  access  privileges 
for  a  class  of  files. 
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Application  programs  may  request  and  be  granted  increased  access  privileges  for  some  of 
their  operations — a  change  that  is  not  obvious  to  the  users  of  that  application.  You  may  not 
want  all  those  users  to  have  increased  privileges.  Therefore,  it  is  important  to  take  great 
care  in  assigning  privileges  to  users  and  groups. 

>  Create  the  needed  user  groups. 

When  you  take  the  previous  step,  you  may  identify  categories  of  users  not  documented  in 
the  computer  deployment  plan  with  enough  detail.  Configure  the  operating  system  to 
recognize  the  needed  user  groups,  and  then  assign  individual  users  (including  network 
service  daemons)  to  the  appropriate  groups. 

Carefully  consider  whether  to  retain  a  guest  account  or  group  and  if  you  do,  consider 
greatly  limiting  its  access. 

>  Configure  the  access  controls. 

Configure  the  access  controls  for  all  protected  files,  devices,  and  other  objects,  using  the 
matrix  created  in  the  first  step  above  as  a  guide. 

Pay  attention  to  access  control  inheritance  when  defining  categories  of  files  and  users. 
Ensure  that  you  configure  the  operating  system  so  that  newly  created  files  and  directories 
inherit  appropriate  access  controls,  and  that  access  controls  are  propagated  down  the 
directory  hierarchies  when  you  assign  them. 

>*  Install  and  configure  file- encryption  capabilities  for  sensitive  data. 

Some  operating  systems  provide  optional  file  encryption;  there  are  also  third-party  file- 
encryption  packages  available.  These  may  be  useful  if  the  operating  system’s  access 
controls  are  insufficient  for  maintaining  the  confidentiality  of  file  contents.  This  can  be  the 
case  if  the  operating  system  provides  few  or  no  access  control  features,  or  when  the 
relationships  among  categories  of  files  and  categories  of  users  are  so  complex  that  it 
would  be  difficult  to  use  only  access  controls  to  administer  the  security  policy. 

Note  that  this  recommendation  pertains  only  to  encryption  of  files  stored  on  the  computer 
itself  Encryption  of  information  for  transmission  over  a  network  is  a  separate  issue. 


Policy  considerations 

Your  organization’s  security  policy  for  networked  systems  should 

•  specify  access  limitations  for  the  information  that  will  be  stored  on  computers 

•  how  access  to  files  that  have  been  encrypted  with  a  user  key  is  performed.  This  is 
particularly  important  when  a  user  no  longer  works  for  your  organization. 

other  information 

Some  operating  systems  provide  more  than  one  file  system  with  different  access-control 
capabilities.  It  is  important  to  choose  the  file  system  that  best  meets  your  needs  for  file 
access  control.  Your  decision  may  affect  the  low-level  formatting  of  storage  devices  and 
thus  should  be  made  early  in  the  process  of  configuring  the  operating  system. 

Where  to  find  updates 

The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-improvement/practices/p029.html 
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Identify  and  enable  system  and  network  logging 
mechanisms. 


Collecting  data  generated  by  system,  network,  application,  and  user  activities  is  essential 
for  analyzing  the  security  of  these  assets  and  detecting  signs  of  intrusion.  Log  files  contain 
information  about  past  activities.  Different  systems  provide  various  types  of  logging 
information;  some  systems  do  not  collect  adequate  information  in  their  default  condition. 
You  should  identify  the  types  of  logs  and  logging  mechanisms  available  for  each  system 
asset  (file  access  logs,  process  logs,  network  logs,  application-specific  logs,  etc.),  identify 
the  data  recorded  within  each  log,  and  then  enable  the  collection  of  the  desired  data. 


Why  this  is  important  Log  files  are  often  the  only  record  of  suspicious  behavior.  Failure  to  enable  the 

mechanisms  to  record  this  information  and  use  them  to  initiate  alert  mechanisms  will 
greatly  weaken  or  eliminate  your  ability  to  detect  intrusion  attempts  and  to  determine 
whether  or  not  they  succeeded.  Similar  problems  can  result  from  not  having  the  necessary 
procedures  and  tools  in  place  to  process  and  analyze  your  log  files. 

You  may  need  your  logs  to 

•  alert  you  that  an  intrusion  is  occurring 

•  help  you  recover  your  systems 

•  help  you  to  conduct  an  investigation 

•  provide  information  required  for  legal  proceedings 

•  provide  information  required  for  insurance  claims 


How  to  do  it  >  Identify  the  information  to  be  logged. 

Identify 

•  types  of  information  you  can  log 

•  mechanisms  used  for  logging 

•  locations  where  the  logging  is  performed 

•  locations  where  the  log  files  are  stored 

A  table  of  log  categories  and  types  of  log  information  within  each  category  are  listed 
below.  You  may  want  to  use  this  list  as  a  guide  to  the  types  of  information  to  log  (although 
not  all  systems  are  able  to  log  every  type  on  the  list).  Tailor  logging  selections  to  meet 
your  site’s  needs. 
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Log  Category 

Types  of  information  to  log 

Users 

•  Login/logout  information:  location  and  time  of  failed  attempts, 
attempted  logins  to  privileged  accounts 

•  Changes  in  authentication  status,  such  as  enabling  privileges 

Processes 

•  Real  and  effective  user  executing  the  process 

•  Process  start-up  time,  arguments 

•  Process  exit  status,  time,  duration,  resources  consumed 

Systems 

•  Actions  requiring  special  privileges 

•  Status/errors  reported  by  hardware  and  software  subsystems 

•  Changes  in  system  status,  including  shutdowns  and  restarts 

Networks 

•  Service  initiation  requests 

•  The  name  of  the  user/host  requesting  the  service 

•  Network  traffic 

•  New  connections 

•  Connection  duration 

File  Systems 

•  Changes  to  access  control  lists  and  file  protections 

•  File  accesses  (opening,  creating,  executing,  deleting) 

Applications 

•  Applications-  and  services-specific  information,  e.g.,  mail  logs, 
FTP  logs,  Web  server  logs,  modem  logs,  firewall  logs 

If  possible,  do  not  log  passwords,  even  incorrect  ones.  Logging  correct  passwords  creates 
an  enormous  potential  vulnerability  if  a  non-authorized  user  or  intruder  accesses  audit 
records.  Recording  incorrect  passwords  is  also  risky  as  they  often  differ  from  valid 
passwords  by  only  a  single  character  or  transposition.  Turning  off  password  logging  may 
require  resetting  a  system  default.  If  you  cannot  turn  off  password  logging,  you  need  to 
exercise  special  care  in  protecting  access  to  log  files  that  contain  this  information,  as 
described  in  the  last  two  steps  in  this  practice. 

You  may  want  to  log  data  about  password  use  such  as  the  number  of  failed  attempts, 
accesses  to  specific  accounts,  etc. 

V  Determine  if  the  logging  mechanisms  provided  with  your  systems  and  networks 
sufficiently  capture  the  required  information. 

Determine  the  logging  mechanisms  available  for  the  platforms  at  your  site,  how  the  log 
files  are  named,  and  where  they  are  located.  The  names  of  these  log  files  can  differ  even 
among  versions  of  the  same  operating  system  delivered  by  a  single  vendor,  so  it  is 
important  that  you  verify  this  each  time  you  upgrade  your  systems. 

Identify  what  types  of  information  each  logging  mechanism  can  capture.  The  combination 
of  mechanisms  should  capture  the  information  identified  in  the  table  categories  noted 
above.  There  may  be  differences  in  the  log  file  contents  provided  by  different  vendors, 
even  for  similar  types  of  systems. 

If  the  logging  mechanisms  provided  by  your  vendor  are  insufficient  to  capture  the  data 
you  need,  use  other  tools  to  capture  the  additional  information.  You  may  need  to  develop 
these. 
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>  Enable  logging. 


Using  the  logging  mechanisms  provided  by  the  vendor  and  any  supplemental  tools,  enable 
all  logging  that  you  have  selected  from  the  previous  step.  For  help,  refer  to  the 
administration  documentation  for  your  systems  to  learn  how  to  enable  each  of  the  logging 
mechanisms  and  refer  to  documentation  for  other  tools  used  during  setup.  This 
documentation  will  specify  whether  these  mechanisms  need  to  be  enabled  only  once,  each 
time  the  system  is  rebooted,  or  at  regular  intervals  during  the  system’s  normal  operation. 
Some  logging  mechanisms  let  you  select  different  levels  of  detail. 

Pay  attention  to  the  location  of  the  log  data:  some  tools  allow  you  to  specify  a  file  or 
directory  where  the  data  is  logged  while  others  write  their  data  to  a  predefined  default 
location.  Make  sure  that  you  have  sufficient  space  for  the  data  that  is  generated.  Ensure 
that  the  logged  data  is  protected  correctly,  based  on  previously  determined  ACLs  (access 
control  lists). 

Be  aware  that  multiple  logging  mechanisms  may  contribute  log  records  to  a  single  log  file, 
such  as  syslog  in  UNIX  systems. 

>  Protect  logs  to  ensure  they  are  reliable. 

To  protect  sensitive  information,  ensure  that  log  files  are  protected  from  being  accessed  or 
modified  by  unauthorized  users.  Confirm  that  only  authorized  users  can  access  utilities 
that  reconfigure  logging  mechanisms,  turn  the  utilities  on  and  off,  and  write  to,  modify, 
and  read  log  data. 

It  is  important  to  collect  and  archive  log  files  so  that  they  cannot  be  accessed  by  an 
intruder  to  remove  or  alter  signs  of  an  intrusion  or  add  erroneous  information.  Use  the 
following  methods  to  ensure  log  files  are  not  modified: 

•  Log  data  to  a  file  on  a  separate  host,  preferably  one  in  a  physically  secure  location  that 
is  not  easily  accessible  from  the  network.  For  example,  capturing  log  data  using  a 
computer  via  a  dedicated  serial  line  provides  a  way  of  storing  the  log  files  more  securely 
than  if  they  were  written  on  the  logging  host’s  disks. 

•  Log  selected  data  to  a  write-once/read-many  device  (such  as  CD-ROM  or  a  specially 
configured  tape  drive)  or  to  a  write-only  device  (such  as  a  printer)  to  eliminate  the 
possibility  of  the  data  being  modified  once  it  is  written. 

•  If  supported  by  your  systems,  set  selected  log  file  attributes  that  enable  only  new 
information  to  be  appended  to  the  log  files  (i.e.,  new  records  can  be  added,  those  already 
recorded  cannot  be  modified). 

•  Encrypt  log  files,  particularly  those  that  contain  sensitive  data  or  those  being  transmitted 
across  a  network. 

Logging  directly  to  disk  on  the  local  host  is  easiest  to  configure  and  allows  instant  access 
to  file  records  for  analysis,  but  it  is  also  the  least  reliable.  Collecting  log  files  on  a  write- 
once  device  requires  slightly  more  effort  to  configure  but  is  more  secure.  However,  data  is 
not  as  easily  accessed  and  you  need  to  maintain  a  supply  of  storage  media. 

Printing  the  logging  results  is  useful  when  you  require  permanent  and  immediate  log  files, 
but  printed  logs  can  be  difficult  to  search,  require  manual  analysis,  and  require  a 
potentially  large  storage  space. 

When  the  host  generating  the  logging  data  is  different  from  the  host  recording  it,  you  must 
secure  the  path  between  them.  For  environments  where  short  distances  separate  the 
generating  host  from  the  recording  host,  you  can  attach  them  with  single  point-to-point 
cable(s).  For  environments  where  this  approach  is  not  practical,  minimize  the  number  of 
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networks  and  routers  used  to  make  the  connection  or  encrypt  sensitive  log  data  as  it  is 
generated. 

You  need  to  prepare  systems  that  perform  logging  to  ensure  that  they  do  not  stop 
functioning  in  the  event  of  a  logging  denial  of  service  attack.  A  UNIX  example  would  be 
an  intruder  launching  an  attack  that  fills  up  the  syslog  files  so  that  when  the  logging 
partition  is  full,  logging  ceases.  Two  means  of  preparation  are  creating  separate  file 
partitions  for  different  log  information  and  filtering  network  messages  to  decrease  the 
likelihood  of  such  attacks. 

>  Document  your  management  plan  for  handling  log  files. 

Handle  the  total  volume  of  logged  information.  We  recommend  that  you  log  as  much  as 
possible  for  your  systems  and  networks.  While  log  files  can  consume  a  great  deal  of 
storage  very  quickly,  it  is  difficult  to  anticipate  which  logs  will  be  critical  in  the  event  of 
an  intrusion.  Based  on  your  log  collection  and  storage  approach,  you  may  want  to 
compress  log  files  to  allow  them  to  remain  accessible  online  for  easier  review  and  to 
conserve  space. 

Determine  what  logging  data  is  most  useful  to  collect.  However,  you  need  to  balance  the 
importance  of  recording  system,  network,  and  user  activities  with  the  resources  available 
to  store,  process,  review,  and  secure  them.  Questions  that  help  you  determine  the 
usefulness  of  logging  data  include 

•  What  is  the  host’s  sole  or  primary  purpose?  For  example,  if  a  host  is  acting  as  a  Web 
server,  you  want  to  capture  Web  logs. 

•  How  many  users  are  assigned  to  the  host  or  system  and  how  important  is  it  for  you  to 
know  who  is  logged  on?  This  helps  you  decide  how  much  login/logout  information  to 
capture. 

•  How  important  is  it  to  be  able  to  use  your  logs  to  recover  a  compromised  system?  This 
helps  you  set  the  priority  for  capturing  information  such  as  data  and  file  transaction 
logs. 

•  What  are  the  range  of  services  that  can  be  performed  on  this  host  or  system?  Process 
accounting  information  is  useful  to  detect  unauthorized  services. 

•  What  is  your  organization’s  ability  and  capacity  to  process  and  analyze  all  collected 
logs  to  obtain  useful  information  when  it  is  needed? 

Rotate  log  files.  This  activity  consists  of 

•  making  a  copy  of  the  active  (online)  log  files  at  regular  intervals  (ranging  from  daily  to 
weekly) 

•  renaming  the  files  so  information  contained  in  the  file  is  not  further  augmented 

•  resetting  file  contents 

•  verifying  that  logging  still  works 

Rotating  log  files  allows  you  to  limit  the  volume  of  log  data  you  have  to  examine  at  any 
given  time.  It  also  allows  you  to  keep  log  files  open  for  a  limited  duration  so  that  damage 
is  bounded  if  an  active  log  file  is  compromised.  In  this  way,  you  create  a  collection  of  log 
files  that  contain  well-defined  time  intervals  of  recorded  data.  You  can  then  consolidate 
logs  from  different  systems  by  matching  time  intervals.  This  will  help  you  gain  a  network¬ 
wide  perspective  on  the  activities.  To  perform  this  consolidation,  you  will  likely  need  to 
merge  log  files  from  different  systems  into  a  central  log  file  and  adjust  the  timestamps 
used  in  each  to  match  a  master  clock. 
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Back  up  and  archive  log  files.  Move  your  log  files  to  permanent  storage  or  capture  them  as 
part  of  your  regular  backup  procedure  if  you  want  to  retrieve  them  later  if  the  need  arises. 
Document  the  method  you  use  to  access  archived  log  files.  Create  backups  before  you 
execute  any  automated  tools  that  truncate  and  reset  the  log  files  so  that  minimal  logging 
data  is  lost. 

Encrypt  log  files.  We  recommend  encrypting  log  files  that  contain  sensitive  data  as  the  log 
data  is  being  recorded.  Protect  the  encryption  software  and  place  a  copy  of  your 
encryption  keys  on  a  floppy  disk  or  write-only  CD-ROM  in  a  secure  location  such  as  a 
safe  or  safety  deposit  box.  If  the  keys  are  lost,  the  log  files  cannot  be  used.  If  possible,  use 
public  key  encryption.  The  logs  can  be  encrypted  using  the  public  key  (which  can  be 
safely  stored  online)  and  the  corresponding  private  key  (stored  off-line)  can  then  be  used 
to  decrypt  the  logs. 

Ensure  that  you  have  the  system  and  personnel  resources  necessary^  to  analyze  logs  on  a 
regular  basis  and  on  demand  (i.e.,  in  some  cases,  daily,  and  as  alert  events  occur). 

Dispose  of  log  files.  Ensure  that  all  media  containing  log  file  data  are  disposed  of  in  a 
secure  manner  (e.g.,  shredding  hardcopy  output,  sanitizing  disks,  destroying  CD-ROMs), 


Policy  considerations 

Your  organization’s  security  policy  for  networked  systems  should  require  that  you 
document  a  management  plan  for  handling  log  files.  This  plan  should  include  what  to  log, 
when  and  why  to  log,  where  to  log,  and  who  is  responsible  for  all  aspects  of  the  plan. 

Other  information 

See  the  security  improvement  modules  Detecting  Signs  of  Intrusion  [Firth  97  a],  Preparing 
to  Detect  Signs  of  Intrusion  [Kochmar  98],  and  Responding  to  Intrusions 
[Kossakowski  99], 

Where  to  find  updates 

The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-improvement/practices/p058.htiiil 
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Configure  computers  for  file  backups. 


Before  deploying  a  computer,  you  need  to  develop  a  file  backup  and  restoration  plan  and 
configure  the  computer  to  implement  that  plan. 


Why  this  is  important  File  backups  allow  you  to  restore  the  availability  and  integrity  of  information  resources 

following  security  breaches  and  accidents.  Without  a  backup,  you  may  be  unable  to 
restore  a  computer’s  data  after  system  failures  and  security  breaches. 


How  to  do  it  V  Develop  a  file  backup  and  restoration  plan. 

Develop  a  plan  that  is  broad  enough  to  cover  all  the  workstations  and  servers  you  plan  to 
deploy. 

First,  determine  what  categories  of  files  will  be  backed  up.  For  example,  you  may  choose 
to  back  up  only  user  data  files  because  damaged  system  files  should  be  reloaded  from  the 
original  distribution  media.  In  general,  you  need  to  make  trade-offs  among  speed  of  the 
backup  process,  the  amount  of  storage  needed  for  the  backed-up  files,  and  the  effort 
required  to  restore  one  or  all  files  from  the  backed-up  versions. 

There  are  two  common  technological  approaches  to  file  backups  for  workstations.  With 
the  first,  files  are  backed  up  locally  at  each  workstation,  often  by  the  user(s)  of  that 
workstation.  With  the  second,  backups  are  centrally  administered,  with  data  copied  from 
workstations  via  networks.  The  first  approach  has  the  advantage  of  not  requiring  that 
protected  information  traverse  the  network,  which  reduces  the  chances  of  it  being 
monitored,  intercepted,  or  corrupted.  On  the  other  hand,  it  has  the  disadvantages  of 
requiring  additional  storage  devices  on  each  workstation,  increased  efforts  to  keep  the 
many  backup  devices  and  media  secure,  and  training  users  to  perform  the  backups. 

For  network  servers,  a  third  technological  approach  is  often  used.  With  this  approach,  the 
authoritative  version  of  the  information  content  of  the  server  is  created  and  maintained  on 
a  secure  machine  that  is  backed  up.  The  information  is  periodically  transferred  to  the 
server  for  access  by  clients.  If  the  server  is  compromised  and  its  content  damaged,  it  can 
be  reloaded  from  the  secure  system  maintaining  the  authoritative  version.  This  approach  is 
typically  used  for  public  servers,  such  as  Web  servers^  because  the  content  changes  at 
more  predictable  intervals  than,  for  example,  a  network  file  server  that  supports  user 
workstations. 


1.  This  approach  is  elaborated  in  the  security  improvement  module  Security  for  a  Public  Web  Site 
[Firth  97b]. 
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Determine  the  appropriate  medium  to  contain  your  backup  files  based  on  your 
requirements  for  speed  (for  both  reading  and  writing),  reliability,  and  storage  duration. 
Media  you  should  consider  include  magnetic  tape,  optical  disk,  and  CD-ROM. 

The  plan  should  be  designed  to  ensure  that  backups  are  performed  in  a  secure  manner  and 
that  the  contents  of  the  backups  remain  secure. 

We  recommend  that  the  plan  specify  that 

•  the  source  data  is  encrypted  before  being  transmitted  to  the  storage  medium 

•  the  data  remains  encrypted  on  the  backup  storage  media 

•  the  storage  media  are  kept  in  a  physically  secure  facility  that  is  protected  from 
man-made  and  natural  disasters 

>  Install  file  backup  tools. 

Select  file  backup  tools  to  allow  you  to  implement  your  backup  plan.  You  may  need  to  use 
third-party  software,  although  the  backup  capabilities  of  some  operating  systems  are  likely 
to  be  sufficient.  You  may  also  need  to  install  storage  devices,  either  centrally  or  on  each 
workstation  and  server,  to  store  the  backup  copies. 

If  you  choose  central  administration  and  storage  of  backed-up  files,  be  sure  that  the  chosen 
tools  adequately  protect  the  confidentiality  and  integrity  of  information  as  it  travels  the 
network  to  the  backup  device.  We  recommend  that  you  use  encryption  technologies. 

Note  that  the  tools  used  to  recover  backed-up  files  are  normally  kept  offline,  rather  than  on 
individual  workstations  and  servers.  If  a  computer  has  been  compromised  and  you  need  to 
recover  a  file,  you  cannot  trust  the  integrity  of  any  of  the  tools  on  that  computer. 

Configure  the  backup  tools  and  initiate  the  scheduled  backups. 

Tool  configurations  need  to  reflect  your  backup  and  restoration  plan.  Configure  the  tools 
to  save  access  control  settings  along  with  file  contents,  if  that  feature  is  available. 

Do  the  first  full  backup  just  before  deploying  the  computer,  and  then  confirm  that  you  can 
perform  a  full  restoration  from  that  backup  (Refer  to  the  step  Test  the  ability  to  recover 
from  backups  below). 

>  Confirm  that  the  scheduled  backups  are  being  performed  successfully. 

In  many  organizations,  file  backups  are  completely  automated,  so  system  administrators 
tend  to  forget  that  they  are  happening.  Therefore,  confirm  that  the  backup  procedures  for  a 
newly  deployed  workstation  are  actually  working. 

>  Test  the  ability  to  recover  from  backups. 

For  many  system  administrators,  recovering  a  file  from  a  backup  is  an  uncommon  activity. 
This  step  assures  that  if  you  need  to  recover  a  file,  the  tools  and  processes  will  work. 

Performing  this  test  periodically  will  help  you  to  discover  problems  with  the  backup 
procedures  so  you  can  correct  them  before  losing  data. 

Some  backup  restoration  software  does  not  accurately  recover  the  correct  file  protection 
and  file  ownership  controls.  Check  these  attributes  of  restored  files  to  ensure  they  are 
being  set  correctly. 

Periodically  test  to  ensure  that  you  can  perform  a  full  system  recovery  from  your  backups. 
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Policy  considerations 


Your  organization’s  security  policy  for  networked  systems  should 

•  require  the  creation  of  a  file  backup  and  recovery  plan 

•  inform  users  of  their  responsibilities  (if  any)  for  file  backup  and  recovery 


Other  information  Be  aware  that  file  backups  taken  from  compromised  machines  may  contain  damaged  files, 

services,  or  other  information  left  behind  by  an  intruder  (back  doors,  Trojan  horses). 
Exercise  caution  when  you  use  these  backups  to  restore  your  computers. 

Refer  to  the  practices  “Eliminate  all  means  of  intruder  access.”  and  “Return  systems  to 
normal  operation.”  found  in  the  module  Responding  to  Intrusions  [Kossakowski]  for  a 
discussion  of  approaches  to  consider  when  you  are  choosing  backup  methods. 


Where  to  find  updates  The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 

available  on  the  Web  at  URL 

http://www.cert.org/security-improvement/practices/p032,htinl 
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Protect  computers  from  viruses  and  similar 
programmed  threats. 


There  are  several  kinds  of  software  that  can  surreptitiously  breach  computer  security,  such 
as  a^ 

•  virus:  a  code  fragment  (not  an  independent  program)  that  reproduces  by  attaching  to 
another  program.  It  may  damage  data  directly,  or  it  may  degrade  system  performance 
by  taking  over  system  resources,  which  are  then  not  available  to  authorized  users. 

•  worm:  an  independent  program  that  reproduces  by  copying  itself  from  one  system  to 
another,  usually  over  a  network.  Like  a  virus,  a  worm  may  damage  data  directly,  or  it 
may  degrade  system  performance  by  consuming  system  resources  and  even  shutting 
down  a  network. 

•  Trojan  horse:  an  independent  program  that  appears  to  perform  a  useful  function  but 
that  hides  another  unauthorized  program  inside  it.  When  an  authorized  user  performs 
the  apparent  function,  the  Trojan  horse  performs  the  unauthorized  function  as  well 
(often  usurping  the  privileges  of  the  user). 

You  should  configure  computers  to  take  countermeasures  against  these  threats.  In 
addition,  you  should  establish  policies  and  train  users  to  help  prevent  these  programmed 
threats  from  being  installed  on  their  workstations. 


Why  this  is  important  Programmed  threats  can  cause  significant  security  breaches;  confidential  information  can 

be  captured  and  transmitted,  critical  information  can  be  modified,  and  the  software 
configuration  of  a  computer  can  be  changed  to  permit  subsequent  intrusions. 

Recovering  from  programmed  threats  can  be  expensive.  Installing  preventative  measures 
and  instituting  user  training  can  significantly  reduce  your  exposure  to  these  threats  at  a 
fraction  of  the  cost  it  would  take  to  recover  from  them. 


How  to  do  it  >  Develop  a  plan  for  protecting  computers  from  viruses  and  similar  programmed  threats. 

The  plan  should  specify  how  much  responsibility  and  authority  users  and  system 
administrators  should  have  to  take  specific  actions  to  protect  their  computers  against 
viruses  and  similar  programmed  threats. 

In  the  plan,  describe  how  users  should  use  the  available  virus-detection  tools  for 
workstations,  and  describe  any  limitations  on  the  authority  of  users  to  download  and/or 
install  new  software. 


1.  Definitions  are  adapted  from  Deborah  Russell  and  G.  T.  Gangemi,  Sr.,  Computer  Security  Basics, 
O’Reilly  &  Associates,  Inc.,  1991. 
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>  Install  appropriate  virus-prevention  tools. 

Note  that  copies  of  virus-detection  and  eradication  tools  are  usually  kept  offline;  otherwise 
it  is  possible  that  the  virus  could  modify  the  detection  tools  to  prevent  its  own  detection. 
You  should  actively  check  for  viruses  online,  but  periodically  you  should  also  use  the  off¬ 
line,  trusted  copies  of  the  tools  to  scan  your  systems. 

This  step  is  most  effective  if  you  perform  it  as  part  of  the  initial  installation  and 
configuration  of  the  operating  system. 

>  Train  users  in  virus  prevention  and  recognition  techniques.^ 

Train  users  to  understand  how  viruses  and  other  programmed  threats  propagate  and  what 
they  can  do  to  help  prevent  further  propagation.  This  includes  training  them  to  use  virus 
scanning  tools  on  software  obtained  from  public  sources  (such  as  shareware)  prior  to 
loading  and  executing  it. 

Many  viruses  manifest  themselves  in  predictable  ways.  Train  users  to  recognize  virus 
symptoms,  report  them,  and  run  appropriate  virus  eradication  tools  (if  your  plan  permits 
them  to  use  these  tools). 

Keep  users  apprised  of  new  programmed  threats  and  related  intrusion  scenarios. 

>  Update  the  tools  as  needed,  especially  when  new  viruses  are  discovered. 

Many  virus-protection  tools  use  a  database  of  known  virus  characteristics.  Vendors 
frequently  release  updated  versions  of  those  databases  on  a  weekly  or  monthly  basis. 
Ensure  that  your  computers  have  the  most  recent  versions.  Updating  your  virus-protection 
tools  using  vendor  updates  as  they  become  available  is  one  of  the  primary  methods  to 
prevent  virus  infections. 


Policy  considerations  Your  organization’s  workstation  acceptable  use  policy  or  security  policy  for  networked 

systems  should 

•  define  users’  authority  (or  lack  thereof)  to  download  and/or  install  software  on  the 
computer 

•  specify  who  has  the  responsibility  to  scan  for  viruses  and  eradicate  them  —  users  or 
system  administrators 

•  prohibit  users  from  running  executable  files  that  they  have  received  as  email 
attachments  or  downloaded  from  untrusted  sites 


Where  to  find  updates  The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 

available  on  the  Web  at  URL 

http://www.cert.org/security-improvenient/practices/p033.html 


2.  Note  that  this  step  is  primarily  applicable  to  workstations  rather  than  network  servers.  For 
servers,  the  administrator  is  responsible  for  virus  prevention  and  recognition. 
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Configure  computers  for  secure  remote 
administration. 


Administration  of  a  workstation  or  network  server  includes  updating  user  account 
information,  examining  the  logs,  installing  new  or  updated  software,  and  maintaining  an 
appropriate  configuration.  These  tasks  usually  can  be  performed  locally  from  the 
workstation  or  server  console  or  remotely  from  a  separate  host  via  a  network  connection. 
Although  the  former  approach  is  more  secure  and  we  recommended  it  whenever  feasible, 
the  latter  is  more  common. 


Why  this  is  important  Remote  administration  of  computers  is  increasingly  common  because  of  the  significant 

cost  benefits — many  tasks  can  be  automated  and  the  administrator  does  not  have  to 
physically  visit  each  computer.  However,  remote  administration  tools  must  be  configured 
to  operate  securely. 

Although  the  normal  operational  state  of  your  computer  may  be  secure,  during  the 
performance  of  administrative  tasks,  your  computer  may  be  in  a  transient  vulnerable  state. 
This  is  especially  true  for  remote  administration  of  public  servers  that  have  been  placed 
outside  your  firewall,  because  this  requires  that  you  open  a  network  connection  through 
the  firewall.  Such  a  connection  may  be  vulnerable  to  some  forms  of  attack,  and  it  may 
open  the  door  to  anyone  on  the  Internet  being  able  to  “administer”  your  server.  The  result 
could  be  the  loss  of  confidentiality  or  integrity  of  information  resources  on  the  server,  an 
intruder  gaining  access  to  resources  on  your  internal  network,  or  an  intruder  being  able  to 
use  your  server  or  workstation  as  an  intermediate  host  for  attacks  on  other  internal  or 
external  hosts. 


How  to  do  it 


>"  Ensure  that  the  computer  accepts  administration  commands  only  from  an  authenticated 
administrator. 

Configure  the  computer  to  use  a  strong  method  to  authenticate  the  identity  of  the  user  who 
is  initiating  the  administrative  processes.  In  particular,  avoid  authentication  methods  that 
require  the  transmission  of  a  password  in  clear  text,  unless  it  is  a  one-time  password. 

>"  Ensure  that  the  computer  will  allow  administration  from  only  one  particular  host. 

Authenticate  the  host  in  a  manner  that  does  not  depend  on  network-resolved  information 
such  as  IP  addresses  or  DNS  names,  because  intruders  can  falsify  such  information. 

>  Ensure  that  all  administration  tasks  operate  at  the  minimum  necessary  privilege  level. 

Administration  tasks  sometimes  require  increased  privilege  levels.  Take  care  to  raise 
privilege  levels  only  as  needed. 
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>  Ensure  that  confidential  information,  including  system  configuration  information,  cannot 
be  intercepted  and  read  by  intruders. 

Methods  such  as  encryption  help  to  ensure  that  network  packets  travelling  between  the 
administrator’s  host  machine  and  the  computer  being  administered  would  not,  if 
intercepted,  provide  an  intruder  with  information  that  would  allow  subsequent  access  to 
either  the  computer  or  your  organization’s  internal  network. 

Use  a  movable  storage  medium  to  transfer  information  from  the  authoritative  copy  to 
public  servers  outside  your  firewall.  [This  step  applies  only  to  Securing  Network  Servers.] 

For  some  network  servers,  particularly  those  providing  public  services  like  the  World 
Wide  Web,  it  is  common  to  develop  the  information  content  of  those  services  on  a 
different  host  machine.  The  authoritative  version  of  that  content  is  maintained  (and  backed 
up)  on  that  other  machine,  and  then  transferred  to  the  public  server  at  appropriate 
intervals.  The  transfer  can  be  performed  most  securely  by  using  a  movable  storage 
medium.  This  could  include  a  writable  CD-ROM,  diskette,  hard  disk  cartridge,  or  tape. 
Since  this  procedure  does  not  require  a  network  connection  through  your  firewall,  it  is 
more  secure. 

During  the  transfer,  you  may  need  to  stop  or  disable  your  server.  Some  servers  can  be 
configured  to  continue  operating  and  to  send  a  “Service  temporarily  unavailable”  message 
in  response  to  all  requests. 

Do  not  use  a  transfer  method  that  mounts  a  file  system  from  a  host  inside  the  firewall  on 
the  Web  server  host  using  NFS.  There  are  inherent  problems  in  the  NFS  protocol  that 
could  make  that  internal  host  vulnerable  to  attack. 

>  If  you  choose  to  inspect  the  computer  log  files  from  a  host  other  than  the  computer,  use  a 
secure  method  of  transferring  the  logs  to  that  host. 

Movable  storage  media  and  file  encryption  are  two  suitable  methods  for  transferring  logs. 

>“  After  making  any  changes  in  a  computer's  configuration  or  in  its  information  content, 
create  new  cryptographic  checksums  or  other  integrity-checking  baseline  information  for 
your  server. 

See  the  modules  Detecting  Signs  of  Intrusion  [Firth  97  a]  and  Preparing  to  Detect  Signs  of 
Intrusion  [Kochmar  98]  for  additional  information  on  the  role  of  checking  the  integrity  of 
baseline  information  in  support  of  intrusion  detection. 


Policy  considerations 

Your  organization’s  security  policy  for  networked  systems  should  require  the  use  of  secure 
procedures  for  administration  of  network  servers  and  workstations. 

Where  to  find  updates 

The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-iinprovement/practices/p062.htinl 
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Configure  computers  to  provide  only  selected 
network  services. 


When  you  purchase  a  new  computer,  there  is  usually  a  range  of  network  service  client  and 
server  software  enabled  by  default  to  prepare  the  computer  for  use  as 

•  a  personal  workstation  that  uses  network  services  only  as  a  client 

•  a  personal  workstation  that  provides  and  uses  services  from  other  workstations 

•  a  workstation  that  also  functions  as  public  server  (This  use  of  a  computer  introduces 
considerable  risks.) 

•  a  dedicated  network  server 

Most  desktop  workstations  or  network  servers  do  not  need  all  the  settings  enabled  by 
default,  so  you  need  to  configure  the  operating  system  to  provide  only  the  services 
specified  in  your  deployment  plan. 


Why  this  is  important  Computers  that  perform  services  such  as  file  sharing  must  recognize  and  “trust”  other 

computers.  Each  service  can  be  an  entry  point  for  unauthorized  users  and  represents  a 
potential  security  problem  for  that  computer  and  others  on  the  local  network.  It  is 
important  to  only  enable  the  services  required  for  the  intended  use  of  the  computer. 


How  to  do  it  This  practice  is  most  effective  if  it  is  performed  as  part  of  the  initial  installation  and 

configuration  of  the  operating  system. 

V  Identify  the  network  services  available  on  the  vendor  *s  system. 

Identify  services  provided  by  the  system  such  as  Internet  services  (file  transfer,  World 
Wide  Web,  remote  login,  etc.),  file  services,  computation  services  (such  as  remote 
procedure  calls),  electronic  mail,  and  printing  services. 

Identify  any  network  services  turned  on  by  default. 

Read  the  documentation  and  the  configuration  files  or  settings  to  determine  which 
services  are  on  by  default.  It  is  useful  to  run  a  port-scanning  tool  from  another  connected 
computer  to  detect  active  TCP/IP  network  ports  on  the  workstation.  (Also  identify  active 
services  based  on  protocols  other  than  TCP/IP  such  as  IPX  or  AppleTalk.) 

Note  the  default  settings  for  “small”  servers,  such  as  the  personal  Web  and  file  transfer 
protocol  (FTP)  servers.  These  are  becoming  common  parts  of  workstation  operating 
systems.  They  are  intended  for  file  sharing  within  a  workgroup,  but  it  is  possible  to 
(mis)configure  them  to  make  local  files  visible  to  anyone  (including  intruders)  via  public 
networks. 
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>  Disable  and  remove  all  network  services  not  required  by  your  deployment  plan. 

Identify  any  unneeded  services  that  are  enabled  and  disable  them.  Then  remove  the 
executable  files  for  the  service  and  its  associated  configuration  or  data  files. 

When  considering  services  to  enable  or  disable,  administrators  typically  think  of  those 
services  that  run  as  processes.  This  includes,  for  example,  telnet,  FTP,  electronic  mail,  and 
Web  services.  However,  most  of  today’s  systems  also  provide  services  directly  from  the 
kernel.  An  example  would  be  a  netmask  request.  That  request  is  typically  broadcast  onto 
the  local  area  network,  and  all  systems  that  see  that  request  answer  it,  if  not  otherwise 
instructed.  The  kernel  of  those  answering  systems  is  providing  the  netmask  service,  more 
than  likely  unbeknownst  to  the  administrator  of  that  computer. 

You  need  to  determine  what  services  are  provided  by  the  kernel  and  what  controls  the 
operating  system  provides  to  configure  those  services.  These  services  are  frequently  not 
documented  and  are  often  not  controllable.  There  is  no  tool  that  we  know  of  to  test  for  the 
presence  of  such  services  in  a  manner  similar  to  the  way  the  strobe  tool  for  UNIX  systems 
tests  for  services  running  as  processes.  The  best  source  of  information  is  the  system 
vendor. 

We  recommend  that  you  configure  computers  to  offer  only  the  services  that  your 
deployment  plan  specifies  they  should  provide.  Providing  multiple  services  or  combining 
the  role  of  workstation  and  server  on  the  same  machine  makes  it  harder  to  maintain 
security. 

>  For  all  remaining  network  services,  modify  the  default  configuration  to  limit  access  and 
exposure. 

We  recommend  that  you  use  the  configuration  principle  “deny  first,  then  allow.”  That  is, 
turn  off  as  many  services  and  applications  as  possible  and  then  selectively  turn  on  those 
that  are  essential. 

Depending  upon  the  service,  you  can 

•  limit  which  hosts  can  access  the  service 

•  limit  which  users  can  access  the  service 

•  configure  the  service  to  allow  only  authenticated  connections.  The  authentication 
should  not  rely  solely  on  network  data  such  as  IP  addresses  and  DNS  names,  which  can 
easily  be  falsified  (i.e.  spoofed). 

•  limit  the  degree  of  access  (especially  limiting  access  that  would  permit  a  user  to  change 
the  configuration  of  network  services) 

•  if  applicable,  limit  the  range  of  facilities  and  functions  offered  by  the  service  to  only 
those  deemed  necessary  (e.g.,  if  files  will  be  shared  via  FTP,  then  only  permit  file 
downloads  and  restrict  file  uploads) 

•  isolate  the  service’s  files  (configuration,  data  files,  executable  images,  etc.)  from  those 
of  other  services  and  the  rest  of  the  system 

If  the  operating  system  does  not  provide  the  mechanisms  that  allow  you  to  limit  access, 
then  identify  and  install  third-party  tools  to  accomplish  this. 

An  important  type  of  network  service  is  remote  administration,  usually  appearing  as  an 
instance  of  the  remote  login  service.  It  is  increasingly  common  because  of  the  cost 
benefits — many  tasks  can  be  automated  and  the  administrator  does  not  have  to  visit  each 
computer  to  perform  administrative  tasks.  However,  the  remote  login  service  and  the 
administration  tools  must  be  configured  securely.  You  should  pay  attention  to 
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•  authentication.  Ensure  that  the  computer  accepts  administration  commands  only  from  a 
“strongly”  authenticated  administrator  (e.g.,  in  a  way  that  cannot  be  intercepted, 
replayed,  or  spoofed). 

•  privilege.  Administration  tasks  sometimes  require  increased  privilege  levels.  Ensure 
that  all  such  tasks  operate  at  the  minimum  necessary  privilege  level. 

•  privacy.  Ensure  that  confidential  information,  including  system  configuration 
information,  cannot  be  intercepted  and  read  by  intruders. 

Configure  each  service  to  identify  possible  security  breaches. 

Enabling  logging  for  all  interactions  with  the  service.  You  need  to  take  additional 
precautions  to  ensure  that  the  logs  themselves  are  secured,  such  as  logging  to  a  different, 
more  secure  and  controlled  log  host.  This  also  allows  the  system  administrators  to  check 
these  logs  unobtrusively  for  signs  of  possible  intrusions  or  security  violations.  This  will 
help  you  compare  logs  across  systems  and  recognize  suspicious  patterns  that  may  be 
harder  to  detect  in  the  logs  of  a  single  system. 

This  step  is  discussed  in  more  detail  in  the  modules  Preparing  to  Detect  Signs  of  Intrusion 
[Kochmar  98]  and  Detecting  Signs  of  Intrusion  [Firth  97  a]. 


Policy  considerations  The  security  policy  for  your  networked  systems  should  identify  all  network  services  that 

need  to  be  available  from  desktop  workstations  and  network  servers.  All  other  services 
should  be  explicitly  prohibited. 


Where  to  find  updates  The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 

available  on  the  Web  at  URL 

http://www.cert.org/security-improvement/practices/p038.html 
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Configure  network  service  clients  to  enhance 
security. 


Users  typically  need  to  access  several  network  services  from  their  workstations.  Examples 
include  centralized  file  services,  electronic  mail,  the  World  Wide  Web,  database  access, 
collaboration  or  conferencing  services,  electronic  bulletin  boards,  file  transfers,  and 
remote  access  to  other  workstations.  You  must  configure  the  client  software  to  maintain 
security. 


Why  this  is  important  A  significant  percentage  of  intrusions  into  workstations  are  achieved  by  exploiting 

vulnerabilities  in  network  service  clients  and  the  underlying  network  service  protocols. 
Many  vulnerabilities  can  be  eliminated  by  careful  configuration  of  network  service  clients 
and  installation  of  vendors’  patches  and  upgrades. 


How  to  do  it  You  must  securely  configure  network  service  clients  during  the  initial  installation  and  set¬ 

up  of  the  operating  system  and  carefully  maintain  the  configuration  thereafter. 

There  are  many  network  services  and  different  client  software  packages  for  using  services. 
It  is  therefore  not  possible  to  provide  detailed  configuration  advice  for  each  kind  of  client. 
The  steps  below  describe  general  guidelines  to  help  you  configure  network  service  clients 
to  enhance  security. 

>  Identify  the  behaviors  of  your  network  service  clients  that  may  lead  to  security  problems. 
Consider  issues  such  as  these: 

•  Can  the  client  be  used  to  transmit  confidential  information  (either  personal  or  company 
data)  over  public  networks?  If  so,  you  may  need  to  use  cryptographic  software  in 
conjunction  with  the  client,  and  institute  policies  that  limit  the  users  who  are  allowed  to 
transmit. 

•  Does  the  client  software  require  increased  user  privileges?  If  so,  then  misuse  may 
result  in  other,  more  destructive  actions  at  the  higher  privilege  level. 

•  Can  the  client  be  used,  either  directly  or  indirectly,  to  download  and  execute  software? 
Web  browsers,  for  example,  can  be  configured  to  execute  ActiveX,  Java,  or  JavaScript 
code  from  external  Web  sites.  ActiveX  and  Java  applets  have  been  known  to  have 
undesirable  side  effects  that  can  result  in  security  problems.  You  may  want  to  disable 
them  on  browsers.  If  disabling  ActiveX,  Java,  or  JavaScript  is  not  feasible  or  desirable, 
you  should  consider  the  use  of  a  proxy  server  to  intercept  incoming  Web  pages  and  not 
allow  these  applets  to  be  passed  to  the  requesting  client. 

•  You  should  institute  policies  describing  the  circumstances  when  users  may  or  may  not 
download  and  execute  code  from  external  sites. 
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Policy  considerations 


Where  to  find  updates 


•  Can  the  client  corrupt  data  because  of  improper  configuration? 

•  Can  the  client  disclose  to  servers  confidential  information  about  the  client’s  host 
system  configuration,  network,  or  the  user? 

Maintain  an  awareness  of  vendors'  updates  to  all  client  software,  especially  updates 
related  to  security'. 

Vendors  and  organizations  addressing  network  security  issues  often  publish  information 
related  to  recently-discovered  vulnerabilities  in  network  service  software  (both  clients  and 
servers).  You  should  actively  seek  this  information  and  use  it  to  help  you  configure  or 
update  network  service  clients. 

Refer  to  the  practice  “Keep  operating  systems  and  applications  software  up  to  date.” 
Configure  the  client  to  maintain  security'. 

The  details  of  this  step  obviously  vary  widely  among  the  available  software  packages  for 
each  network  service.  The  following  steps  define  a  general  configuration  strategy: 

•  Determine  what  is  configurable. 

•  Determine  the  likely  threats  to  security  presented  by  the  software. 

•  Turn  off  all  software  features  except  those  absolutely  necessary  to  provide  the  desired 
level  of  service. 

•  Use  access  controls  to  inhibit  enabling  of  restricted  settings. 

•  Establish  user  policies  to  help  maintain  security  where  corresponding  features  of  the 
software  are  lacking. 


Your  organization’s  workstation  acceptable  use  policy  should 

•  describe  precautions  that  users  should  observe  when  using  a  Web  browser  (for 
example,  should  Java  and  ActiveX  be  disabled  to  prevent  execution  of  untested  or 
unexpected  applets?) 

•  describe  under  what  circumstances,  if  any,  users  may  download  and  execute  software 
from  other  hosts  (inside  or  outside  your  organization) 

•  describe  limitations,  if  any,  on  the  kinds  of  information  that  may  be  included  in 
electronic  mail 


The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

ht^tp://www.cert.org/security-improvenient/practices/p030.htinl 
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1 1  Configure  multiple  computers  using  a  tested  model 

configuration  and  a  secure  replication  procedure. 


When  deploying  several  computers,  especially  desktop  workstations,  across  an 
organization,  it  is  common  to  configure  one  appropriately  and  then  propagate  that 
configuration  to  all  the  others.  You  need  to  ensure  that  this  is  done  in  a  secure  manner, 
especially  if  a  network  is  used  for  the  propagation. 


Why  this  is  important  During  the  process  of  configuring  a  computer,  not  all  of  its  security  features  and  controls 

are  yet  in  place.  This  makes  the  computer  more  vulnerable  to  attack.  Performing  the 
configuration  on  the  model  system  in  an  isolated  environment  (not  connected  to  your 
organization’s  networks  or  public  networks)  can  prevent  network-based  attacks.  Similarly, 
physical  isolation  during  configuration  limits  who  can  access  the  computer. 

Once  the  configuration  is  tested  and  found  to  satisfy  your  security  requirements,  it  can  be 
replicated  on  other  computers.  This  helps  establish  a  consistent  level  of  security  on  all 
computers  on  your  network.  It  also  facilitates  consistent  updating  of  all  computers  when 
necessary. 

The  replication  process  must  be  performed  securely  to  prevent  corruption  of  the 
configuration  information  and  to  prevent  attacks  on  the  other  computers  before  they  are 
fully  configured. 


How  to  do  it 


Create  the  model  configuration  on  a  single  computer  in  an  isolated  test  environment. 

The  isolated  environment  prevents  intruders  from  gaining  access  to  the  computer  during 
the  initial  configuration  process,  while  it  is  in  a  less  secure  state. 

>  Test  the  model  configuration. 

Many  tests  can  be  done  in  the  isolated  test  environment.  However,  it  may  be  necessary  to 
do  some  final  tests  in  a  production  environment.  Be  particularly  vigilant  for  signs  of 
intrusion  during  those  tests.  Also,  the  newly  configured  computer  may  affect  other 
computers  or  affect  the  network  in  ways  that  you  did  not  expect. 

>"  Replicate  the  configuration  on  other  computers. 

There  are  three  approaches  to  replicating  the  configuration.  The  first  is  to  record  the  steps 
performed  to  create  the  model  configuration  and  then  repeat  those  steps  manually  on  each 
computer.  This  may  be  the  only  secure  way  to  install  computers  in  remote  locations.  It  is, 
however,  often  prone  to  human  error  and  is  not  manageable  for  a  large  number  of 
computers. 


CMU/SEI-SIM-004 


41 


The  second  approach  is  to  save  the  configuration  on  a  storage  device  that  can  be  write- 
protected,  moved  to  the  other  workstations,  and  used  as  a  master  copy.  This  is  less  error- 
prone,  but  it  still  requires  considerable  effort  by  the  administrators  and  therefore  docs  not 
scale  up  for  a  large  number  of  computers.  It  also  requires  the  individual  computers’ 
configurations  to  be  modified  before  deployment,  so  that  each  computer  can  be  uniquely 
identified  on  the  network. 

The  third  approach  is  to  use  the  network  to  transfer  the  model  configuration  to  the  other 
computers.  This  requires  that  they  are  already  running  in  some  default  or  minimal  state 
that  is  likely  to  be  less  secure  than  the  model  configuration.  Thus  all  the  computers  and  the 
network  are  likely  to  be  vulnerable  to  attack  during  the  process  of  replicating  the  model 
configuration.  To  lessen  this  vulnerability,  you  should  use  only  an  isolated  network 
segment  for  propagating  the  model  configuration  during  the  configuration  process. 

>  Make  configurations  changes  on  a  case-by-case  basis. 

Each  workstation  may  have  a  different  primary  user,  so  you  may  need  to  create  user 
accounts  for  them  on  their  particular  systems. 

You  can  make  these  changes  either  at  the  workstation  itself  or  from  an  administrator’s 
workstation  with  secure  network  connectivity  to  the  workstations  being  deployed. 

Record  cryptographic  checksums  on  each  computer,  as  required  by  the  intrusion  detection 
measures  documented  in  your  deployment  plan. 

A  standard  intrusion  detection  technique  is  to  watch  for  unexpected  changes  to  files.  This 
relies  on  knowing  the  expected  content  of  those  files.  One  common  method  is  to  record 
file  integrity  information  in  the  form  of  cryptographic  checksums  when  you  know  the  files 
are  correct  (such  as  at  the  time  the  computer  is  deployed). 

This  technique  is  elaborated  in  the  security  improvement  module  Detecting  Signs  of 
Intrusion  [Firth  97a]. 


Policy  considerations  Your  organization’s  security  policy  for  networked  systems  should  require  that  all 

computers  be  configured  securely  prior  to  deployment. 


Where  to  find  updates  The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 

available  on  the  Web  at  URL 

http://wwwxertorg/security-improvement/practices/p036.html 
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Allow  only  appropriate  physical  access  to  computers. 


In  addition  to  the  steps  you  take  to  prevent  inappropriate  electronic  access  to  a  computer, 
you  should  also  strive  to  allow  only  appropriate  physical  access.  What  this  means  can  vary 
depending  on  the  locations  of  computers — whether  they  are  in  locked  offices  or  in  open- 
plan  space,  for  example. 

Physical  access  also  includes  activities  such  as  installing  or  removing  hardware. 


Why  this  is  important  If  unauthorized  persons  can  physically  access  a  computer,  the  integrity  of  that  system  is  at 

considerable  risk.  If  a  system  is  connected  to  internal  networks,  then  intruders  can  access 
resources  in  a  way  that  bypasses  all  of  your  network  perimeter  defenses. 

To  preserve  the  confidentiality  and  availability  of  data,  you  must  prevent  the  computer  and 
its  storage  media  from  being  removed  from  the  facility  by  unauthorized  persons. 

If  new  hardware  can  be  installed,  such  as  a  modem,  it  may  make  new  electronic  access 
paths  to  the  computer  and  your  network  available  to  intruders. 


How  to  do  it  >  Prevent  installation  of  unauthorized  hardware  and  modification  of  authorized  hardware. 

Installation  of  new  hardware  can  lead  to  security  problems  in  several  ways: 

•  Installing  a  modem  allows  a  direct  connection  from  the  computer  to  the  public 
telephone  network,  which  may  then  permit  electronic  access  into  your  network  from 
anywhere  in  the  world,  bypassing  your  perimeter  defenses. 

•  Installing  a  removable-media  storage  device  or  printer  makes  it  easy  to  copy 
information  and  carry  it  away  from  your  site. 

•  Installing  a  boot  device  that  precedes  the  authorized  device  in  the  boot  sequence  allows 
the  computer  to  be  restarted  in  a  configuration  that  bypasses  your  security  precautions. 

You  should  lock  the  computer  case,  if  possible.  This  may  require  third-party  locking 

devices. 

You  may  also  want  to  remove  or  disable  the  external  connectors  on  the  computer. 

>  Deploy  the  computer  in  a  secure  facility. 

Deploying  the  computer  in  a  secure  facility  helps  to  prevent  unauthorized  access  to  the 

computer,  theft,  and  destruction. 

As  a  general  rule,  do  not  deploy  network  servers  in  an  individual’s  office. 
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>  Secure  the  network  wiring  and  other  network  connection  components. 

For  security  purposes,  ensure  that  the  network  cabling  is  not  placed  in  a  physical  location 
where  it  can  be  easily  accessed.  Note  that  this  requires  you  to  trade-off  the  convenience  of 
access  for  network  maintenance  with  security. 


Policy  considerations  Your  organization’s  security  policy  for  networked  systems  should 

•  specify  who  is  or  is  not  allowed  to  install  new  hardware  or  modify  existing  hardware  in 
a  computer 

•  specify  the  circumstances  under  which  users  may  or  may  not  use  storage  devices  with 
removable  media 

•  specify  the  circumstances  under  which  users  may  take  storage  media  or  printed 
information  away  from  your  site 

•  require  that  network  servers  be  deployed  in  physically  secure  locations 


Where  to  find  updates  The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 

available  on  the  Web  at  URL 

http://www.certorg/security-improvement/practices/p037.html 


44 


CMU/SEI-SIM-004 


13 


Develop  and  promulgate  an  acceptable  use  policy  for 
workstations. 


Organizations  should  develop  a  policy  defining  the  acceptable  uses  of  workstations.  The 
policy  should  identify  and  encourage  user  behavior  that  can  enhance  security,  and 
discourage  or  prohibit  user  behavior  that  can  reduce  or  breach  security.  You  should  help 
users  understand  the  type  of  information  you  are  protecting  and  their  responsibilities  in 
that  protection. 


Why  this  is  important  Security  of  a  desktop  workstation  is  ultimately  the  responsibility  of  the  users.  Their  daily 

work  usually  requires  that  protected  information  resources  be  accessed,  manipulated, 
modified,  and  transmitted  across  networks.  If  your  users  don’t  understand  their  security 
responsibilities  and  your  organization’s  expectations,  then  the  technological  measures  to 
enforce  security  may  be  ineffective. 

Some  of  the  security  features  built  into  operating  systems  or  provided  by  third-party 
software  products  make  it  possible  to  enforce  secure  user  behaviors.  In  the  absence  of 
such  features,  the  only  alternative  may  be  to  establish  and  enforce  a  policy  prohibiting 
user  actions  that  can  reduce  security. 


How  to  do  it  >"  Gain  management-level  support  for  the  development  and  promulgation  of  an  acceptable 

use  policy. 

A  policy  must  be  enforceable  to  achieve  its  objectives.  In  most  organizations,  the  system 
administrators  responsible  for  the  technological  aspects  of  information  security  do  not 
have  the  authority  to  enforce  user  security  policies.  It  is  therefore  necessary  to  educate 
your  management  about  security  issues  and  the  need  for  an  acceptable  use  policy,  and  then 
to  obtain  a  commitment  to  support  the  development,  promulgation,  and  enforcement  of 
that  policy. 

>  Designate  an  individual  in  your  organization  to  have  responsibility  for  the  development, 
maintenance,  and  enforcement  of  the  acceptable  use  policy. 

The  person  who  fills  this  role  must  have  enough  authority  to  enforce  the  policy.  In  many 
large  organizations^  the  chief  information  officer  (CIO)  is  the  appropriate  choice.  System 
administrators  are  unlikely  to  be  able  to  exercise  the  authority  needed  for  this  task. 

While  the  CIO  will  probably  delegate  the  tasks  of  writing  and  maintaining  the  policy,  he 
or  she  must  retain  the  responsibility  and  authority  to  enforce  it. 
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other  information 


Develop  the  policy  with  participation  from  all  stakeholders. 

As  a  general  rule,  policies  are  more  successful  if  they  are  developed  in  cooperation  with 
the  people  to  whom  they  apply.  Workstation  users  are  in  the  best  position  to  evaluate  how 
various  policy  statements  might  affect  how  they  perform  their  work.  Although  middle-  or 
high-level  managers  may  be  responsible  for  setting  overall  information  security  policies, 
they  need  to  collaborate  with  system  administrators,  operations  staff,  and  the  technology 
users  in  order  to  define  reasonable  technological  and  procedural  protection  measures  for 
information  resources. 

The  policy  should  cover  all  of  the  information  technologies  that  your  staff  are  likely  to 
use.  The  policy  needs  to  address  corporate  data,  network  access,  and  use  of  workstations, 
portable  computers,  home  computers,  modems,  software  packages,  etc. 

>  Explain  the  policy  to  all  users  and  train  them  to  follow  it. 

When  a  new  policy  is  first  adopted  in  an  established  organization,  not  everyone  will  want 
to  make  the  behavioral  changes  to  comply  with  it.  You  must  be  sure  to  explain  the 
motivation  for  the  policy.  This  can  be  effectively  accomplished  by  peers,  including  those 
who  participated  in  the  development  of  the  policy. 

Train  new  employees  about  the  policy  as  part  of  their  initial  orientation  and  inform  all 
employees  whenever  the  policy  changes,  retraining  them  if  necessary. 

>  Document  user  acceptance  of  the  policy. 

Documenting  user  acceptance  is  typically  accomplished  by  requiring  each  user  to  sign  a 
statement  acknowledging  that  he  or  she  understands  the  policy  and  agrees  to  follow  it. 

>  Provide  explicit  reminders  at  each  login. 

To  avoid  the  risks  of  possible  litigation  and  liability,  it  is  essential  that  users  see  a 
statement  when  they  login  informing  them  that  they  should  use  the  workstation  in 
accordance  with  the  acceptable  use  policy  and  that  you  may  monitor  their  use  to  ensure 
compliance.  This  message  may  also  help  remind  users  of  their  responsibilities. 

>■  Maintain  the  policy  to  reflect  changes  in  your  business  and  your  networked  systems 
technologies. 

You  need  to  review  and  update  your  policy  on  a  periodic  basis  and  as  events  dictate. 


An  acceptable  use  policy  is  best  developed  as  part  of  an  overall  site  security  policy. 

Acceptable-use  policy  about  workstations  should  include  a  discussion  of 

•  workstations  a  user  may  or  may  not  use 

•  hardware  changes  the  user  may  make 

•  software  the  user  may  install  or  remove 

•  kinds  of  work  the  user  may  perform  on  the  workstation  (such  as  manipulation  of 
classified  data  or  conducting  personal  business) 

•  network  services  the  user  may  or  may  not  use 

•  information  the  user  may  or  may  not  transmit  across  the  network  (such  as  in  electronic 
mail) 
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•  user  responsibilities  to  operate  the  workstation  securely,  such  as  performing 
administrative  tasks 

•  the  kinds  of  configuration  changes  users  may  or  may  not  make  if  they  are  given  higher 
levels  of  privilege 


The  latest  version  of  this  practice,  plus  implementation  details  for  selected  technologies,  is 
available  on  the  Web  at  URL 

http://www.cert.org/security-improvement/practices/p034.html 
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